fix(nextjs-component, e2e-tests): allow all CloudFront HTTP methods for default caching behavior #609
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This fixes #454 and similar issues.
Not sure why we don't allow all CloudFront methods on default caching behavior, which will allow more HTTP methods e.g form posts on SSR pages, similar to Vercel.
This component already adds a policy to the S3 bucket to only allow GetObject from the origin access identity (CloudFront), so requesters cannot modify S3 objects with these additional methods (e.g using DELETE to delete a public file). See: https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_AllowedMethods.html
Tests
Updated unit and e2e tests, and ran them (e2e tests not yet automated).
SSR page: https://dcrrk28otqvm3.cloudfront.net/ssr-page (allows GET, HEAD, PUT, PATCH, DELETE, POST, OPTIONS). E.g POST/DELETE will return page itself since there is no different behavior here for POST/DELETE
For resources in S3:
SSG page: https://dcrrk28otqvm3.cloudfront.net/ssg-page (allows GET, HEAD. OPTIONS requires origin request header)
Public files: https://dcrrk28otqvm3.cloudfront.net/app-store-badge.png (allows, GET, HEAD. OPTIONS requires origin request header.
The above two, for POST gets 405 Method Not Allowed, and for PUT, PATCH, DELETE gets 403 Forbidden, which should be due to the S3 bucket policy only allow GetObject from the CloudFront distribution.
Static JS (same as before, it cannot be DELETED, as _next/static cache behavior only allows GET, HEAD): https://dcrrk28otqvm3.cloudfront.net/_next/static/chunks/framework.085e84bea8b122ad7b41.js
For comparison:
Vercel SSR page: https://nextjs-repros.vercel.app/anotherSSR (allows GET, HEAD, PUT, PATCH, DELETE, POST, OPTIONS and even more uncommon methods, since they do not use CloudFront but their own custom CDN).
Vercel SSG page: https://nextjs-repros.vercel.app/anotherSSG (allows GET, OPTIONS, HEAD)