New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Provide multi origin cors values #5740
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the PR @richarddd! Looks good for the most part. Just a few notes & questsion
@@ -100,7 +100,14 @@ describe('#compileCors()', () => { | |||
.Resources.ApiGatewayMethodUsersCreateOptions | |||
.Properties.Integration.IntegrationResponses[0] | |||
.ResponseParameters['method.response.header.Access-Control-Allow-Origin'] | |||
).to.equal('\'*,http://example.com\''); | |||
).to.equal('\'http://localhost:3000\''); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is there a ResponseParameter for http://example.com as well?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes but it is in the transformation template. This tests so that the first value of comma ceparated origins is set as default origin
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah ok, so it gets over riden by the transormation. gotcha 👍
}, | ||
}, | ||
]; | ||
}, | ||
|
||
generateCorsResponseTemplate(origins) { | ||
return ( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does this only affect preflight requests or all requests? If the later, does it remove the need for users to specify that header manually in their handler?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Only preflight. API Gateway does not support transformation of responses sent through lambda.
Edit: Agree that it would be more ideal to have some "automagical" way of applying cors response headers to all request methods as well 👌
let origins = (config.origins && Array.isArray(config.origins)) ? config.origins : undefined; | ||
|
||
if (origin && origin.indexOf(',') !== -1) { | ||
origins = origin.split(',').map(a => a.trim()); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't really like the idea of adding extra parsing on top of vanilla(+sls var system) yaml. No real benefit to supporting comma delimited origin
when origins
can accept an array.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Well, since this changed quite recently so that most modern browsers does only accept one domain in or * as value we need to do this.
“Multiple Values Access-Control-Allow-Origin” by Janosch Maier https://link.medium.com/U8M0LTPHRT
The reason why I suggested to parse both origins and origin is when you want to pass your origins as an env variable or similar (if you have a proxy forward API Gateway method for example) you can't use arrays as env variables
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fair enough 👍
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You've addressed all my questions/concerns!
What did you implement:
Provide support for using multiple origins in cors configuration. This PR generates a response template which transforms any matched origin and sets the
Access-Control-Allow-Origin
header to that matched originHow did you implement it:
Created an extra function in the cors library to generate a valid response template script
How can we verify it:
Create a new template and use the following configuration:
Try accessing the requested resource from localhost:3000 and localhost:3001
Todos:
Is this ready for review?: YES
Is it a breaking change?: NO