Multiple origin CORS with IAMAuthorizer

[3dw1np]

I tried to set up multiple CORS origins with the example given in the documentation but with an authorizer, it didn't work as expected. I received a 403 error response.

from chalice import Chalice, Response

app = Chalice(app_name=config.API_NAME)
authorizer = IAMAuthorizer()

@app.route('/auth/me', methods=['POST', 'OPTIONS'], authorizer=authorizer)
def auth_me():
    method = app.current_request.method
    if method == 'OPTIONS':
        headers = {
            'Access-Control-Allow-Method': 'POST,OPTIONS',
            'Access-Control-Allow-Origin': ','.join(config.ALLOWED_ORIGINS),
            'Access-Control-Allow-Headers': ['Authorization', 'Content-Type', 'X-Amz-Date', 'X-Amz-Security-Token', 'X-Api-Key']
        }

        origin = app.current_request.headers.get('origin', '')  
        if origin in config.ALLOWED_ORIGINS:
            headers.update({'Access-Control-Allow-Origin': origin})

        return Response(
            body=None,
            headers=headers,
        )

    elif method == 'POST':
        return 'Foo'

STATUS: 403 Forbidden
{
  "message": "Missing Authentication Token"
}

[jamesls]

That error message is tricky because it can either mean you're not making it past the authorizer or you're accessing a route that doesn't exist.

Can you share the client code you're using to make the authorized request?

[3dw1np]

I am using the Amplify API lib to do the request who manage signed requests against Amazon API Gateway when the API Gateway Authorization is set to AWS_IAM, right ?

Just to let you know, if I setup the Cors=True, it's working so I am sure that the route exists.

Many thanks for your help !

[jamesls]

So I'm not as familiar with the specifics of how the amplify lib is making requests, but if the browser is the one making the preflight OPTIONS request, then I don't think it would be signed with sigv4. I'd check the network calls being made and verify that the OPTIONS request has the appropriate Auth headers included. Although I'm not sure if you'd actually want an auth'd OPTIONS call.

[3dw1np]

I don't see the OPTIONS request it seems to be removed in the newest version of chrome. I will try with firefox.

https://httptoolkit.tech/blog/chrome-79-doesnt-show-cors-preflight

Edit: It can be re-enable in the chrome flag it seems

[jamesls]

Just following up on this, were you able to see the pre-flight request in chrome?

[no-response[bot]]

This issue has been automatically closed because there has been no response to our request for more information from the original author. With only the information that is currently in the issue, we don't have enough information to take action. Please reach out if you have or find the answers we need so that we can investigate further.