-
Notifications
You must be signed in to change notification settings - Fork 3.7k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat(apigateway): cors preflight support (#4211)
* feat(apigateway): cors support (wip) adds support for CORS preflight (OPTIONS) requests on resources. currently supports: origin, methods, headers, credentials, status code implemented during a live twitch stream on sep 24, 2019 * export types from cors.ts * allow 'ANY' to be used in `allowMethods` * add a bunch of unit tests * document api * support multiple origins * add maxAge + disableCache * document addCorsPreflight * exposeHeaders * doc cleanups * reorder methods * add integ test expectation * defaultCorsPreflightOptions * README * add missing features link * update integ test expectation * fix compilation error * respond with Vary if specific origin is specified * update expectation
- Loading branch information
1 parent
8f4a38d
commit 0f06223
Showing
11 changed files
with
1,664 additions
and
7 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,105 @@ | ||
import { Duration } from '@aws-cdk/core'; | ||
import { ALL_METHODS } from './util'; | ||
|
||
export interface CorsOptions { | ||
/** | ||
* Specifies the response status code returned from the OPTIONS method. | ||
* | ||
* @default 204 | ||
*/ | ||
readonly statusCode?: number; | ||
|
||
/** | ||
* The Access-Control-Allow-Origin response header indicates whether the | ||
* response can be shared with requesting code from the given origin. | ||
* | ||
* Specifies the list of origins that are allowed to make requests to this resource. | ||
* | ||
* @see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin | ||
*/ | ||
readonly allowOrigins: string[]; | ||
|
||
/** | ||
* The Access-Control-Allow-Headers response header is used in response to a | ||
* preflight request which includes the Access-Control-Request-Headers to | ||
* indicate which HTTP headers can be used during the actual request. | ||
* | ||
* @see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Headers | ||
* @default Cors.DEFAULT_HEADERS | ||
*/ | ||
readonly allowHeaders?: string[]; | ||
|
||
/** | ||
* The Access-Control-Allow-Methods response header specifies the method or | ||
* methods allowed when accessing the resource in response to a preflight request. | ||
* | ||
* If `ANY` is specified, it will be expanded to `Cors.ALL_METHODS`. | ||
* | ||
* @see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Methods | ||
* @default Cors.ALL_METHODS | ||
*/ | ||
readonly allowMethods?: string[]; | ||
|
||
/** | ||
* The Access-Control-Allow-Credentials response header tells browsers whether | ||
* to expose the response to frontend JavaScript code when the request's | ||
* credentials mode (Request.credentials) is "include". | ||
* | ||
* When a request's credentials mode (Request.credentials) is "include", | ||
* browsers will only expose the response to frontend JavaScript code if the | ||
* Access-Control-Allow-Credentials value is true. | ||
* | ||
* Credentials are cookies, authorization headers or TLS client certificates. | ||
* @see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials | ||
* @default false | ||
*/ | ||
readonly allowCredentials?: boolean; | ||
|
||
/** | ||
* The Access-Control-Max-Age response header indicates how long the results of | ||
* a preflight request (that is the information contained in the | ||
* Access-Control-Allow-Methods and Access-Control-Allow-Headers headers) | ||
* can be cached. | ||
* | ||
* To disable caching altogther use `disableCache: true`. | ||
* | ||
* @see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Max-Age | ||
* @default - browser-specific (see reference) | ||
*/ | ||
readonly maxAge?: Duration; | ||
|
||
/** | ||
* Sets Access-Control-Max-Age to -1, which means that caching is disabled. | ||
* This option cannot be used with `maxAge`. | ||
* | ||
* @default - cache is enabled | ||
*/ | ||
readonly disableCache?: boolean; | ||
|
||
/** | ||
* The Access-Control-Expose-Headers response header indicates which headers | ||
* can be exposed as part of the response by listing their names. | ||
* | ||
* If you want clients to be able to access other headers, you have to list | ||
* them using the Access-Control-Expose-Headers header. | ||
* | ||
* @see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Expose-Headers | ||
* | ||
* @default - only the 6 CORS-safelisted response headers are exposed: | ||
* Cache-Control, Content-Language, Content-Type, Expires, Last-Modified, | ||
* Pragma | ||
*/ | ||
readonly exposeHeaders?: string[]; | ||
} | ||
|
||
export class Cors { | ||
/** | ||
* All HTTP methods. | ||
*/ | ||
public static readonly ALL_METHODS = ALL_METHODS; | ||
|
||
/** | ||
* The set of default headers allowed for CORS and useful for API Gateway. | ||
*/ | ||
public static readonly DEFAULT_HEADERS = [ 'Content-Type', 'X-Amz-Date', 'Authorization', 'X-Api-Key', 'X-Amz-Security-Token', 'X-Amz-User-Agent' ]; | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.