aws / aws-cdk

The AWS Cloud Development Kit is a framework for defining cloud infrastructure in code
https://aws.amazon.com/cdk
Apache License 2.0
11.68k stars 3.93k forks source link

Cloudfront: Allow "Authorization" as a header in Origin Request Policies #28883

Open WillSmithTE opened 9 months ago

WillSmithTE commented 9 months ago

Describe the feature

I want the ability to forward the Authorization header to the origin server, without putting it in the cache key. This is the purpose of the Origin Request Policies.

See issue for prior discussion.

Use Case

I have various endpoints which each determine by themselves what they want to cache, and if they want to cache in the CDN or locally.

e.g.

/user/profile takes a user's id from their JWT to provide the right info when a user views their own profile. In this case I need the Authorization to be forwarded to the origin server to serve the right request. I don't want to cache it publicly, so I won't return any cache headers.

/books?genre=fantasy&sort=latest gets the latest fantasy books. In this case I don't need the Authorization header to go to the origin server, it's a public request. However it's an expensive request, so I want to cache it publicly. I want to include the query params in the cache key, but not the Authorization header.

As far as I can see, to do this I would create a cache policy and an origin request policy, as below, but this is not possible because Authorization is not allowed in origin request policies.

resource "aws_cloudfront_cache_policy" "parameters_in_cache_key_and_forwarded_to_origin" {
  name = "parameters_in_cache_key_and_forwarded_to_origin"

  parameters_in_cache_key_and_forwarded_to_origin {
    cookies_config {
      cookie_behavior = "none"
    }
    headers_config {
      header_behavior = "none"
    }
    query_strings_config {
      query_string_behavior = "all"
    }
  }
}

resource "aws_cloudfront_origin_request_policy" "parameters_only_to_origin_not_in_cache_key" {
  name = "example-origin-request-policy"

  headers_config {
    header_behavior = "whitelist"
    headers {
      items = ["Authorization"]
    }
  }

  cookies_config {
    cookie_behavior = "none"
  }

  query_strings_config {
    query_string_behavior = "all"
  }
}

Proposed Solution

Allow Authorization as a header in origin request policies

Other Information

Right now my workaround is using a separate cache behaviour with a path pattern, and adding public to any api path which is public, and not forwarding Authorization there to either the origin server or the cache key. I would much rather have this logic live inside my app server than my CDN config.

I don't ever need Authorization to be included in a cache key, there are too many users for that to be useful and I'll just use the browser cache instead.

Acknowledgements

CDK version used

Not relevant

Environment details (OS name and version, etc.)

Not relevant

pahud commented 9 months ago

Thank you for the feature request and we look forward to any pull requests from the community.