Provide multi origin cors values

[richarddd]

What did you implement:

Provide support for using multiple origins in cors configuration. This PR generates a response template which transforms any matched origin and sets the Access-Control-Allow-Origin header to that matched origin

How did you implement it:

Created an extra function in the cors library to generate a valid response template script

How can we verify it:

Create a new template and use the following configuration:

functions:
  hello:
    handler: handler.hello
    events:
      - http:
          path: hello
          method: get
          cors:
            origins:
              - http://localhost:3000
              - http://localhost:3001
            headers:
              - Content-Type
              - X-Amz-Date
              - Authorization
              - X-Api-Key
              - X-Amz-Security-Token
              - X-Amz-User-Agent
            allowCredentials: false

Try accessing the requested resource from localhost:3000 and localhost:3001

Todos:

• Write tests
• Write documentation
• Fix linting errors
• Make sure code coverage hasn't dropped
• Provide verification config / commands / resources
• Enable "Allow edits from maintainers" for this PR
• Update the messages below

Is this ready for review?: YES
Is it a breaking change?: NO

[dschep]

Thanks for the PR @richarddd! Looks good for the most part. Just a few notes & questsion

[dschep]

Is there a ResponseParameter for http://example.com as well?

[richarddd]

Yes but it is in the transformation template. This tests so that the first value of comma ceparated origins is set as default origin

[dschep]

Ah ok, so it gets over riden by the transormation. gotcha 👍

[dschep]

Does this only affect preflight requests or all requests? If the later, does it remove the need for users to specify that header manually in their handler?

[richarddd]

Only preflight. API Gateway does not support transformation of responses sent through lambda.

Edit: Agree that it would be more ideal to have some "automagical" way of applying cors response headers to all request methods as well 👌

[dschep]

I don't really like the idea of adding extra parsing on top of vanilla(+sls var system) yaml. No real benefit to supporting comma delimited origin when origins can accept an array.

[richarddd]

Well, since this changed quite recently so that most modern browsers does only accept one domain in or * as value we need to do this.

“Multiple Values Access-Control-Allow-Origin” by Janosch Maier https://link.medium.com/U8M0LTPHRT

The reason why I suggested to parse both origins and origin is when you want to pass your origins as an env variable or similar (if you have a proxy forward API Gateway method for example) you can't use arrays as env variables

[dschep]

Fair enough 👍

[dschep]

You've addressed all my questions/concerns!