fix(apigateway): CORS OPTIONS method should not require auth #22402
Conversation
When you create a RestApi and you provide `defaultCorsPreflightOptions` we automatically create a CORS OPTIONS method for each method. If you also provide `defaultMethodOptions` then those default options get passed through to the CORS OPTION method as well. In the case of authentication options this should not be the case. This PR explicitly sets the authentication related options to NONE values which overrides whatever is provided in `defaultMethodOptions`. I've updated an integration tests to assert that an OPTIONS call is successful (I also tested before the fix to assert that it failed). fixes #8615
|
|
github-actions
bot
added
bug
| @@ -724,7 +724,51 @@ books.addMethod('GET', new apigateway.HttpIntegration('http://amazon.com'), { | |||
|
|
|||
| A full working example is shown below. | |||
|
|
|||
| [Full token authorizer example](test/authorizers/integ.token-authorizer.lit.ts). | |||
There was a problem hiding this comment.
I did not mind the link, since code is better represented as such, instead of READMEs, but I appreciate the lack of clicking around.
| @@ -186,7 +186,7 @@ export class Method extends Resource { | |||
|
|
|||
| const defaultMethodOptions = props.resource.defaultMethodOptions || {}; | |||
| const authorizer = options.authorizer || defaultMethodOptions.authorizer; | |||
| const authorizerId = authorizer?.authorizerId; | |||
| const authorizerId = authorizer?.authorizerId ? authorizer.authorizerId : undefined; | |||
There was a problem hiding this comment.
Pardon my lack of coffee, but what's the difference?
Answer: authorizerId being "" would still lead to an undefined.
Follow-up: is that needed?
| @@ -296,6 +296,12 @@ export abstract class ResourceBase extends ResourceConstruct implements IResourc | |||
| { statusCode: `${statusCode}`, responseParameters: integrationResponseParams, responseTemplates: renderResponseTemplate() }, | |||
| ], | |||
| }), { | |||
| authorizer: { | |||
| authorizerId: '', | |||
There was a problem hiding this comment.
As per comment above, this would still lead to an undefined, why specify it?
|
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
|
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
|
@Naumel @corymhall I've found this because the diff for one of my projects showed the auth options being unset for the OPTIONS methods, which (wrongly?) concerned me. Is it really the case that OPTIONS should always be unauthenticated? Is this a how-to-do-REST-properly thing? I'm slightly surprised it's not an optional setting to enable this behaviour from some props, as I imagine this change could - theoretically, at least - expose something sensitive that was previously hidden. |
|
@Naumel @corymhall this PR did not fix the issue in #8615 due to a bug in If the default is to have API key required, the fix added in #22402 will get overridden by the default setting - |
For those who encounter the above error after upgrading CDK to version 2.46.0 or higher, it appears that the issue may be related to the configuration of 'authorizer' and 'authorizationScopes' in 'defaultMethodOptions.' This error can occur because this PR sets the authorizer to NONE, but 'defaultMethodOptions' still includes 'authorizationScopes,' leading to the aforementioned error. As a workaround, you can resolve this issue by removing 'authorizationScopes' from 'defaultMethodOptions' and setting it when using 'addMethod.' This ensures that the 'authorizationScopes' is applied correctly. For more information on this topic, you can refer to the official AWS documentation on API Gateway methods: API Method Documentation. |
|
Unfortunately the workaround provided by @taidv cannot be applied to To recap: if you are getting this error: const apis = new apigw.RestApi(this, "rest-api", {
...
defaultMethodOptions: {
authorizer: userPoolAuthorizer,
authorizationType: apigw.AuthorizationType.COGNITO,
authorizationScopes: ["api/myscope"],
},
});This PR resets api.methods.forEach((method) => {
if (method.httpMethod === "OPTIONS") {
const methodCfn = method.node.defaultChild as apigw.CfnMethod;
methodCfn.authorizationScopes = [];
}
}); |
When you create a RestApi and you provide
defaultCorsPreflightOptionswe automatically create a CORS OPTIONS method for each method. If you also providedefaultMethodOptionsthen those default options get passed through to the CORS OPTION method as well. In the case of authentication options this should not be the case.This PR explicitly sets the authentication related options to NONE values which overrides whatever is provided in
defaultMethodOptions.I've updated an integration tests to assert that an OPTIONS call is successful (I also tested before the fix to assert that it failed).
fixes #8615
All Submissions:
Adding new Unconventional Dependencies:
New Features
yarn integto deploy the infrastructure and generate the snapshot (i.e.yarn integwithout--dry-run)?By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license