Closed chrisbonifacio closed 6 months ago
Thanks for opening this @chrisbonifacio. Marking this as a bug for now.
+1 on "aws-amplify": "^6.0.6"
Exact same issue here. Worked with the "test" Authorization. "aws-amplify": "^6.0.7"
The problem of using the "test" workaround is it dominos into another error.
Access to fetch at 'https://XXXXX1wk0.execute-api.us-east-2.amazonaws.com/prod/abc123/xxxxxx7709' from origin 'https://localhost:3000' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.
I believe this to be it needs Cognito signatures in subsequent API methods (get, post) for CORS calls. And yes, I tried adding headers like retval.headers = { Authorization: "test", "Access-Control-Allow-Origin": "*" };
@cwomack please let me know if this is planned to be resolved soon or else I will revert to Amplify v5. Thnx.
The problem of using the "test" workaround is it dominos into another error.
Access to fetch at 'https://XXXXX1wk0.execute-api.us-east-2.amazonaws.com/prod/abc123/xxxxxx7709' from origin 'https://localhost:3000' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.
I believe this to be it needs Cognito signatures in subsequent API methods (get, post) for CORS calls. And yes, I tried adding headers like ```retval.headers = {
Authorization: "test", "Access-Control-Allow-Origin": "*" };```
@cwomack please let me know if this is planned to be resolved soon or else I will revert to Amplify v5. Thnx.
In your lambda's response you should have the CORS permission.
You are right, but back to the workaround - when you do this:
headers: {
Authorization: "test",
},
It is overwriting the headers object with a new object you are providing, with one header in it, the Authorization with a placeholder value. This is opposed to an 'internal' headers object, managed by Amplify, which I am assuming Cognito injects or manages its headers. Headers that are dynamically generated by Amplify and/or Cognito with real runtime signature values. Therefore setting your own "headers" object with a bogus "Authorization" property overwrites that should be managed by the library. It might work for a simple post or get, but I am assuming not backed by a real identity manager requiring real signature values.
Hi @willjstevens @mighty6ft5max
I can confirm this is indeed a regression. I'm working a fix right now. In short term you can workaround the issue by setting Authorization
header to any string value. I will post here when the fix is up.
@chrisbonifacio A fix for this made it out with Amplify 6.0.10, could you please check if the issue has been resolved for you?
@chrisbonifacio A fix for this made it out with Amplify 6.0.10, could you please check if the issue has been resolved for you?
@jimblanc just updated and tried it out, all good now! Thanks! 🙏
Before opening, please confirm:
JavaScript Framework
React, Next.js
Amplify APIs
REST API
Amplify Categories
api
Environment information
Describe the bug
Following this guide: https://docs.amplify.aws/javascript/build-a-backend/restapi/set-up-rest-api/
Trying to perform
post
request withoutAuthorization
headers results in the following error:Adding an arbitrary Authorization header and value allows the request to be sent and succeeds.
UPDATE: other methods (
get
,put
,del
) also throw the same error.Expected behavior
I expect an unauthenticated request to an unrestricted REST API not to require an Authorization header
Reproduction steps
Follow guide: https://docs.amplify.aws/javascript/build-a-backend/restapi/set-up-rest-api/
Code Snippet
Doesn't work
Works
Log output
aws-exports.js
No response
Manual configuration
No response
Additional configuration
No response
Mobile Device
No response
Mobile Operating System
No response
Mobile Browser
No response
Mobile Browser Version
No response
Additional information and screenshots
No response