I was beaten down by CORS, Cognito, and API Gateway, and emerged a new man.
took forever to figure out how to use our JWT auth tokens with the generated client code.
Got my locally running frontend to hit my deployed backend with Cognito for JWT protection. Exciting!
Deployed the frontend to AWS to see if the token-authorized requests worked from there. No.
then got 401 unauthorzed in the browser... yet it worked from Postman
found out it was a CORS problem. The "CORS preflight" request was getting 401 unauthorized, causing the actual API calls to fail in the browser, even though they had auth tokens. (see the diagram)
Realized that I needed to create a way for the OPTIONS preflight request to make it through withoug needing an auth token, but without invoking our lambda function either, so that attackers can't spoof us with 1,000's of OPTIONS requests that we'd have to pay money for
Created a "MockIntegration" endpoint in API gateway that returns CORS for OPTIONS requests--had to abandon our apigateway.LambdaRestAPI construct for that and write our API Gateway from scratch.
Still failed--due to a mysterious 500 error in the MockIntegration endpoint. Despair setting in.
Learned of a limitation involving the specific use case of CORS with MockIntegrations :anguished:
Learned the basics of a templating language called "Apache Velocity"--sort of like Jinja, and wrote a custom "response mapping" for API gateway--basically a transformation that worked around the CORS issue.
Wow... I just went on a 2-day journey.
I was beaten down by CORS, Cognito, and API Gateway, and emerged a new man.