henhal
commented
1 year ago I'm not sure why API gateway did this, but I had a document such as this:
paths:
/pets:
get:
security:
- BearerTokenAuth... to which this plugin added an options method, which correctly did NOT specify any security object at all.
Still, once deployed to API gateway, the OPTIONS method had BearerTokenAuth specified as the authorizer.
With this change, that does not happen, and since preflight requests normally shouldn't require authentication, that makes sense to me.
Normally, CORS preflight requests are not authenticated. This change modifies the default template for OPTIONS integrations to override the list of security schemes with an empty list.
Without this change, API gateway will sometimes apply the same security scheme as used by other methods, even if the method itself doesn't specify
security.