serverless-application-model icon indicating copy to clipboard operation
serverless-application-model copied to clipboard
verified publisher icon aws

Feat: (API Gateway) Globals Api Cors should allow headers as well

Open rhboyd opened this issue 6 years ago • 3 comments

Description: When I use

Globals:
  Function:
    Timeout: 30
  Api:
    EndpointConfiguration: REGIONAL
    Cors: "'*'"
    Auth:
      DefaultAuthorizer: MyLambdaRequestAuthorizer
      Authorizers:
        MyLambdaRequestAuthorizer:
          FunctionPayloadType: REQUEST
          FunctionArn: !GetAtt AuthorizerFunction.Arn
          Identity:
            Headers:
              - Authorization
            ReauthorizeEvery: 100 # seconds

The headers for Access-Control-Allow-Origin and Access-Control-Allow-Methods are added to the swagger doc for the preflight OPTIONS requests, but headers for Access-Control-Allow-Headers are not added. This is a blocker for Twitch extensions because they send signed JWTs in a header named Authorization so Twitch Extension authors are forced to define their entire API via swagger.

Even when using a Lambda Authorizer and specifying an Authorization header, the requests are rejected because Authorization isn't included in an Access-Control-Allow-Headers header. I end up having to specify the whole swagger document myself, which makes SAM's API generation feature significantly less useful.

Steps to reproduce the issue:

  1. sam init ....
  2. add the api description shown above
  3. deploy the template
  4. Attempt to send a request to the deployed api with an Authorization header

Observed result: "Authorization" is not listed in Access-Control-Allow-Headers and the request is blocked.

Expected result:

{
  statusCode: 200,
  body: "GREAT SUCCESS!!!!"
}

rhboyd avatar Sep 21 '19 16:09 rhboyd

In the example, you’re using the shorthand form of enabling CORS. Have you considered using the object form? The form taking only a single string – the origin – is (AIUI) for common or simple cases, which it looks as though you don’t have.

I think that would look like this for you, minimally:


Cors:
  AllowOrigin: "'*'"
  AllowHeaders: "'Authorization'" # And any others you discover are necessary.

Note the doubled-up quoting, though!

chrisoverzero avatar Sep 21 '19 22:09 chrisoverzero

Wow! That looks like it solves my problem. But I still think the short form should work when I add the Auth information. The SAM Macro has all of the information it would need to add that header and it can easily be inferred that if I say both “I want CORS” and “expect this header” then I would want that header from a CORS request as well.

rhboyd avatar Sep 21 '19 23:09 rhboyd

Thanks for the feedback @rhboyd. We will look into how SAM can simplify this experience.

praneetap avatar Sep 24 '19 18:09 praneetap