Closed huyphan closed 5 years ago
This library can also be used with ALB, which does not perform that validation as strictly as API Gateway. I have asked the API Gateway team to add a property with the full url of the client request to the proxy event. Once that new property comes in, I'll definitely switch to you. For now, I'm a bit skeptical of the Host header.
Gotcha. I didn't realize the usage with ALB.
I understand the concern with Host
header. And I agree that we should not use it as the default option. Since there's no timeline of when API Gateway team would introduce the new property (that I know of), I think it's reasonable to make this an optional feature to unblock users -- we allow people to opt-in and use it when they know what they are doing.
I think the code would be a bit messy if we want to support this, I'm just throwing the idea for now :)
You could work around this simply by reading the proxy event in the handler method, looking for the Host header, and then setting the GO_API_HOST
env variable before calling the Proxy
method of this library.
Yea we are currently using GO_API_HOST
environment variable as a workaround. I was hoping for a goroutine-scoped way of doing that though.
I guess we can wait until API Gateway releases the desired property then. I'm going to close this issue for now.
I saw that we made some effort to make the hostname more customizable (relevant issues: #21 and #13). I think we can make it even more flexible by allowing consumer to opt-in the option to use, wait for it,
Host
header as the hostname.In normal context, this is a terrible idea as
Host
header can't be trusted at all. In APIG/Lambda context -- which is what this library is about -- I think it's an acceptable option. The reason being, API Gateway and CloudFront already reject all the requests with irrelevantHost
header. And those that hit Lambda are those that we can trust.Hence, would using incoming
Host
header as hostname be something we can consider as an option?