-
Notifications
You must be signed in to change notification settings - Fork 4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(apigateway): CORS OPTIONS method should not require auth #22402
Conversation
When you create a RestApi and you provide `defaultCorsPreflightOptions` we automatically create a CORS OPTIONS method for each method. If you also provide `defaultMethodOptions` then those default options get passed through to the CORS OPTION method as well. In the case of authentication options this should not be the case. This PR explicitly sets the authentication related options to NONE values which overrides whatever is provided in `defaultMethodOptions`. I've updated an integration tests to assert that an OPTIONS call is successful (I also tested before the fix to assert that it failed). fixes #8615
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
added now
@@ -724,7 +724,51 @@ books.addMethod('GET', new apigateway.HttpIntegration('http://amazon.com'), { | |||
|
|||
A full working example is shown below. | |||
|
|||
[Full token authorizer example](test/authorizers/integ.token-authorizer.lit.ts). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I did not mind the link, since code is better represented as such, instead of READMEs, but I appreciate the lack of clicking around.
@@ -186,7 +186,7 @@ export class Method extends Resource { | |||
|
|||
const defaultMethodOptions = props.resource.defaultMethodOptions || {}; | |||
const authorizer = options.authorizer || defaultMethodOptions.authorizer; | |||
const authorizerId = authorizer?.authorizerId; | |||
const authorizerId = authorizer?.authorizerId ? authorizer.authorizerId : undefined; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Pardon my lack of coffee, but what's the difference?
Answer: authorizerId
being ""
would still lead to an undefined
.
Follow-up: is that needed?
@@ -296,6 +296,12 @@ export abstract class ResourceBase extends ResourceConstruct implements IResourc | |||
{ statusCode: `${statusCode}`, responseParameters: integrationResponseParams, responseTemplates: renderResponseTemplate() }, | |||
], | |||
}), { | |||
authorizer: { | |||
authorizerId: '', |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As per comment above, this would still lead to an undefined
, why specify it?
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
@Naumel @corymhall I've found this because the diff for one of my projects showed the auth options being unset for the OPTIONS methods, which (wrongly?) concerned me. Is it really the case that OPTIONS should always be unauthenticated? Is this a how-to-do-REST-properly thing? I'm slightly surprised it's not an optional setting to enable this behaviour from some props, as I imagine this change could - theoretically, at least - expose something sensitive that was previously hidden. |
@Naumel @corymhall this PR did not fix the issue in #8615 due to a bug in
If the default is to have API key required, the fix added in #22402 will get overridden by the default setting - |
For those who encounter the above error after upgrading CDK to version 2.46.0 or higher, it appears that the issue may be related to the configuration of 'authorizer' and 'authorizationScopes' in 'defaultMethodOptions.' This error can occur because this PR sets the authorizer to NONE, but 'defaultMethodOptions' still includes 'authorizationScopes,' leading to the aforementioned error. As a workaround, you can resolve this issue by removing 'authorizationScopes' from 'defaultMethodOptions' and setting it when using 'addMethod.' This ensures that the 'authorizationScopes' is applied correctly. For more information on this topic, you can refer to the official AWS documentation on API Gateway methods: API Method Documentation. |
Unfortunately the workaround provided by @taidv cannot be applied to To recap: if you are getting this error: const apis = new apigw.RestApi(this, "rest-api", {
...
defaultMethodOptions: {
authorizer: userPoolAuthorizer,
authorizationType: apigw.AuthorizationType.COGNITO,
authorizationScopes: ["api/myscope"],
},
}); This PR resets api.methods.forEach((method) => {
if (method.httpMethod === "OPTIONS") {
const methodCfn = method.node.defaultChild as apigw.CfnMethod;
methodCfn.authorizationScopes = [];
}
}); |
When you create a RestApi and you provide
defaultCorsPreflightOptions
we automatically create a CORS OPTIONS method for each method. If you also providedefaultMethodOptions
then those default options get passed through to the CORS OPTION method as well. In the case of authentication options this should not be the case.This PR explicitly sets the authentication related options to NONE values which overrides whatever is provided in
defaultMethodOptions
.I've updated an integration tests to assert that an OPTIONS call is successful (I also tested before the fix to assert that it failed).
fixes #8615
All Submissions:
Adding new Unconventional Dependencies:
New Features
yarn integ
to deploy the infrastructure and generate the snapshot (i.e.yarn integ
without--dry-run
)?By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license