fix(apigateway): fix strange vtl template for cors preflight request (#…

…19104) CDK will create this VTL template for OPTIONS method. ``` #set($origin = $input.params("Origin")) #if($origin == "") #set($origin = $input.params("origin")) #end #if($origin.matches("https://www.test-cors.org")) #set($context.responseOverride.header.Access-Control-Allow-Origin = $origin) #end ``` This VTL template use `$input.params` for get origin information. But it's references request parameter from these values - path - query string - header [`$input` Variables](https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-mapping-template-reference.html#input-variable-reference) So, this template cause strange behavier like this. ``` $ curl -XOPTIONS https://xxx.execute-api.ap-northeast-1.amazonaws.com/prod/twitch?origin=https://www.test-cors.org -i HTTP/2 204 date: Wed, 23 Feb 2022 06:32:39 GMT x-amzn-requestid: df42e9de-80a4-4db5-985d-5ed8adc40b99 access-control-allow-origin: https://www.test-cors.org ``` [RFC6454](https://datatracker.ietf.org/doc/html/rfc6454#section-7.2) says >the Origin header field indicates > the origin(s) that "caused" the user agent to issue the request its not mention path and querystrings. So VTL template should use only request header for check origin information. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
aws · Feb 24, 2022 · 59ef06a · 59ef06a
1 parent 77f1e0b
commit 59ef06a
Show file tree

Hide file tree

Showing 3 changed files with 6 additions and 6 deletions.
diff --git a/packages/@aws-cdk/aws-apigateway/lib/resource.ts b/packages/@aws-cdk/aws-apigateway/lib/resource.ts
@@ -311,8 +311,8 @@ export abstract class ResourceBase extends ResourceConstruct implements IResourc
 
       const template = new Array<string>();
 
-      template.push('#set($origin = $input.params("Origin"))');
-      template.push('#if($origin == "") #set($origin = $input.params("origin")) #end');
+      template.push('#set($origin = $input.params().header.get("Origin"))');
+      template.push('#if($origin == "") #set($origin = $input.params().header.get("origin")) #end');
 
       const condition = origins.map(o => `$origin.matches("${o}")`).join(' || ');
 

diff --git a/packages/@aws-cdk/aws-apigateway/test/cors.test.ts b/packages/@aws-cdk/aws-apigateway/test/cors.test.ts
@@ -290,7 +290,7 @@ describe('cors', () => {
               'method.response.header.Access-Control-Allow-Methods': "'OPTIONS,GET,PUT,POST,DELETE,PATCH,HEAD'",
             },
             ResponseTemplates: {
-              'application/json': '#set($origin = $input.params("Origin"))\n#if($origin == "") #set($origin = $input.params("origin")) #end\n#if($origin.matches("https://amazon.com") || $origin.matches("https://aws.amazon.com"))\n  #set($context.responseOverride.header.Access-Control-Allow-Origin = $origin)\n#end',
+              'application/json': '#set($origin = $input.params().header.get("Origin"))\n#if($origin == "") #set($origin = $input.params().header.get("origin")) #end\n#if($origin.matches("https://amazon.com") || $origin.matches("https://aws.amazon.com"))\n  #set($context.responseOverride.header.Access-Control-Allow-Origin = $origin)\n#end',
             },
             StatusCode: '204',
           },

diff --git a/packages/@aws-cdk/aws-apigateway/test/integ.cors.expected.json b/packages/@aws-cdk/aws-apigateway/test/integ.cors.expected.json
@@ -51,7 +51,7 @@
         "corsapitest8682546E"
       ]
     },
-    "corsapitestDeployment2BF1633A228079ea05e5799220dd4ca13512b92d": {
+    "corsapitestDeployment2BF1633A51392cbce1ac2785bd0e53063423e203": {
       "Type": "AWS::ApiGateway::Deployment",
       "Properties": {
         "RestApiId": {
@@ -74,7 +74,7 @@
           "Ref": "corsapitest8682546E"
         },
         "DeploymentId": {
-          "Ref": "corsapitestDeployment2BF1633A228079ea05e5799220dd4ca13512b92d"
+          "Ref": "corsapitestDeployment2BF1633A51392cbce1ac2785bd0e53063423e203"
         },
         "StageName": "prod"
       },
@@ -472,7 +472,7 @@
                 "method.response.header.Access-Control-Allow-Methods": "'OPTIONS,GET,PUT,POST,DELETE,PATCH,HEAD'"
               },
               "ResponseTemplates": {
-                "application/json": "#set($origin = $input.params(\"Origin\"))\n#if($origin == \"\") #set($origin = $input.params(\"origin\")) #end\n#if($origin.matches(\"https://www.test-cors.org\"))\n  #set($context.responseOverride.header.Access-Control-Allow-Origin = $origin)\n#end"
+                "application/json": "#set($origin = $input.params().header.get(\"Origin\"))\n#if($origin == \"\") #set($origin = $input.params().header.get(\"origin\")) #end\n#if($origin.matches(\"https://www.test-cors.org\"))\n  #set($context.responseOverride.header.Access-Control-Allow-Origin = $origin)\n#end"
               },
               "StatusCode": "204"
             }