search

jeremydaly / lambda-api

Lightweight web framework for your serverless applications
https://serverless-api.com
MIT License
1.41k stars 125 forks source link

CORS pre-flight OPTIONS not working because of lowercase casting #245

Open NicoPowers opened 10 months ago

NicoPowers commented 10 months ago

Hi all,

I just picked up lambda-api, and seems like its the perfect solution for my project; however, I have been struggling for hours trying to get CORS to work.

My OPTIONS pre-flight request headers are being properly sent, but they're all lower case, and it's causing my web appl running in Google Chrome to not recognize it as Access-Control-Allow-Origin as this is the error I am receiving from it:

Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.

I verified, with postman, that this is the headers coming back from the pre-flight OPTIONS request:

image

However, noticed that they're all lower case, and thus Google Chrome cannot find Access-Control-Allow-Origin

This is how it's getting received in Google Chrome: image

This is how I am providing CORS in my Lambda:

// import AWS Lambda types
import { APIGatewayProxyEventV2, Context } from "aws-lambda";
// import Lambda API default function
import createAPI from "lambda-api";
import { Authorizer, Role } from "./authorizer";
import { ListProducts } from "./products/List";

// instantiate framework
const api = createAPI({});

// ************************************* CORS *************************************
api.options("/*", (req: any, res: any) => {
  // Add CORS headers
  res.header("Access-Control-Allow-Origin", "*");
  res.header("Access-Control-Allow-Methods", "*");
  res.header("Access-Control-Allow-Headers", "Content-Type, Authorization, Content-Length, X-Requested-With");
  res.sendStatus(200);
});

Please suggest a workaround for current version of Chrome.

Thank you!

naorpeled commented 10 months ago

Hey @NicoPowers, sorry for the delayed response.

I've created a PR to resolve this, it's still a WIP but hopefully will get to finishing it during this week or the weekend. Will keep you posted.

jub0bs commented 8 months ago

@NicoPowers The case of headers cannot be the root cause of the issue you're experiencing, as header names are case-insensitive.

Rather, the 401 status code you're getting suggests that some auth layer is preventing preflight requests from reaching the CORS middleware. In your test with Postman, are you, by any chance, adding some auth token to your spoofed preflight request? Be aware that real preflight requests are never authenticated.