Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(apigateway): CORS OPTIONS method should not require auth #22402

Merged
merged 3 commits into from
Oct 12, 2022
Merged

fix(apigateway): CORS OPTIONS method should not require auth #22402

merged 3 commits into from
Oct 12, 2022

Conversation

corymhall
Copy link
Contributor

When you create a RestApi and you provide defaultCorsPreflightOptions we automatically create a CORS OPTIONS method for each method. If you also provide defaultMethodOptions then those default options get passed through to the CORS OPTION method as well. In the case of authentication options this should not be the case.

This PR explicitly sets the authentication related options to NONE values which overrides whatever is provided in defaultMethodOptions.

I've updated an integration tests to assert that an OPTIONS call is successful (I also tested before the fix to assert that it failed).

fixes #8615


All Submissions:

Adding new Unconventional Dependencies:

  • This PR adds new unconventional dependencies following the process described here

New Features

  • Have you added the new feature to an integration test?
    • Did you use yarn integ to deploy the infrastructure and generate the snapshot (i.e. yarn integ without --dry-run)?

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

When you create a RestApi and you provide `defaultCorsPreflightOptions`
we automatically create a CORS OPTIONS method for each method. If you
also provide `defaultMethodOptions` then those default options get
passed through to the CORS OPTION method as well. In the case of
authentication options this should not be the case.

This PR explicitly sets the authentication related options to NONE
values which overrides whatever is provided in `defaultMethodOptions`.

I've updated an integration tests to assert that an OPTIONS call is
successful (I also tested before the fix to assert that it failed).

fixes #8615
@gitpod-io
Copy link

gitpod-io bot commented Oct 6, 2022

@aws-cdk-automation aws-cdk-automation requested a review from a team October 6, 2022 18:54
@github-actions github-actions bot added bug This issue is a bug. effort/small Small work item – less than a day of effort p1 labels Oct 6, 2022
@mergify mergify bot added the contribution/core This is a PR that came from AWS. label Oct 6, 2022
Copy link
Contributor

@Naumel Naumel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

added now

@@ -724,7 +724,51 @@ books.addMethod('GET', new apigateway.HttpIntegration('http://amazon.com'), {

A full working example is shown below.

[Full token authorizer example](test/authorizers/integ.token-authorizer.lit.ts).
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I did not mind the link, since code is better represented as such, instead of READMEs, but I appreciate the lack of clicking around.

@@ -186,7 +186,7 @@ export class Method extends Resource {

const defaultMethodOptions = props.resource.defaultMethodOptions || {};
const authorizer = options.authorizer || defaultMethodOptions.authorizer;
const authorizerId = authorizer?.authorizerId;
const authorizerId = authorizer?.authorizerId ? authorizer.authorizerId : undefined;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pardon my lack of coffee, but what's the difference?

Answer: authorizerId being "" would still lead to an undefined.

Follow-up: is that needed?

@@ -296,6 +296,12 @@ export abstract class ResourceBase extends ResourceConstruct implements IResourc
{ statusCode: `${statusCode}`, responseParameters: integrationResponseParams, responseTemplates: renderResponseTemplate() },
],
}), {
authorizer: {
authorizerId: '',
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As per comment above, this would still lead to an undefined, why specify it?

@mergify
Copy link
Contributor

mergify bot commented Oct 12, 2022

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
  • Commit ID: 5541378
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@mergify mergify bot merged commit ef72089 into aws:main Oct 12, 2022
@mergify
Copy link
Contributor

mergify bot commented Oct 12, 2022

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@plumdog
Copy link
Contributor

plumdog commented Nov 3, 2022

@Naumel @corymhall I've found this because the diff for one of my projects showed the auth options being unset for the OPTIONS methods, which (wrongly?) concerned me.

Is it really the case that OPTIONS should always be unauthenticated? Is this a how-to-do-REST-properly thing?

I'm slightly surprised it's not an optional setting to enable this behaviour from some props, as I imagine this change could - theoretically, at least - expose something sensitive that was previously hidden.

@markcarroll
Copy link

@Naumel @corymhall this PR did not fix the issue in #8615 due to a bug in

apiKeyRequired: options.apiKeyRequired || defaultMethodOptions.apiKeyRequired,

If the default is to have API key required, the fix added in #22402 will get overridden by the default setting - options.apiKeyRequired is false which leads the other side of the boolean operator to get evaluated which then returns whatever defaultMethodOptions.apiKeyRequired is set to.

@taidv
Copy link

taidv commented Nov 8, 2023

Invalid Method authorization type specified. Authorization Scopes are only valid for COGNITO_USER_POOLS authorization type (Service: AmazonApiGateway; Status Code: 400; Error Code: BadRequestException;

For those who encounter the above error after upgrading CDK to version 2.46.0 or higher, it appears that the issue may be related to the configuration of 'authorizer' and 'authorizationScopes' in 'defaultMethodOptions.'

This error can occur because this PR sets the authorizer to NONE, but 'defaultMethodOptions' still includes 'authorizationScopes,' leading to the aforementioned error.

As a workaround, you can resolve this issue by removing 'authorizationScopes' from 'defaultMethodOptions' and setting it when using 'addMethod.' This ensures that the 'authorizationScopes' is applied correctly.

For more information on this topic, you can refer to the official AWS documentation on API Gateway methods: API Method Documentation.

@lazylace37
Copy link

Unfortunately the workaround provided by @taidv cannot be applied to ProxyResources, because they rely on defaultMethodOptions.

To recap: if you are getting this error:
Invalid Method authorization type specified. Authorization Scopes are only valid for COGNITO_USER_POOLS authorization type (Service: AmazonApiGateway; Status Code: 400; Error Code: BadRequestException;
you are probably using defaultMethodOptions like this in your API or your ProxyResource:

const apis = new apigw.RestApi(this, "rest-api", {
  ...
  defaultMethodOptions: {
    authorizer: userPoolAuthorizer,
    authorizationType: apigw.AuthorizationType.COGNITO,
    authorizationScopes: ["api/myscope"],
  },
});

This PR resets authorizationType for OPTIONs, but not authorizationScopes. This is illegal, thus the error.
A dirty fix is this; just put it after your api.root.addProxy:

api.methods.forEach((method) => {
  if (method.httpMethod === "OPTIONS") {
    const methodCfn = method.node.defaultChild as apigw.CfnMethod;
    methodCfn.authorizationScopes = [];
  }
});

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug This issue is a bug. contribution/core This is a PR that came from AWS. effort/small Small work item – less than a day of effort p1
Projects
None yet
Development

Successfully merging this pull request may close these issues.

defaultMethodOptions should be selectively applied to CORS OPTIONS method
7 participants