Added Access-Control-Allow-Credentials for CORS settings fixes #2182

[asprouse]

What did you implement:

Closes #2182

How did you implement it:

Added an allowCredentials (defaults to false) setting to the cors config which determines whether or not Access-Control-Allow-Credentials will be set to true or false in the mock OPTIONS request that is configured by the existing cors configuration.

The original fix was implemented by @fruffin then the codebase changed significantly so I applied the same changes to the new code. I don't mean to step on toes, just trying to lend a helping hand @fruffin deserves most of the credit here.

How can we verify it:

Run unit tests.

Toggle settings in the config and verify the changes are reflected in the CloudFormation template.

Todos:

• Write tests
• Write documentation
• Fix linting errors
• Make sure code coverage hasn't dropped
• Provide verification config/commands/resources
• Enable "Allow edits from maintainers" for this PR
• Change ready for review message below

Is this ready for review?: YES

[fruffin]

Thanks a lot for picking this one up @asprouse !!!
I have to say I felt a bit demotivated seeing how much the code had changed all of a sudden and I'm glad someone else took the time to port the change to the new code :)

[pmuens]

@asprouse and @fruffin thanks for opening this PR! 👍 💯

Looks good from a code design perspective. Haven't tested it thoroughly yet (will do this next up).
@eahefnawy could you also take a look at this one?

FYI: Just pushed some minor updates because some docs were accidentally removed.

[pmuens]

Do we need more documentation here? Or is this sufficient as it's only a simple config parameter?

/cc @eahefnawy

[str3tch]

Shame this missed the 1.3 release, is it on the roadmap for a release soon??

[asprouse]

Just brought my fork up to date and fixed merge conflicts. @pmuens I think the docs are sufficient. Let me know if there is anything else missing.

[fruffin]

@pmuens it's been over a month since that PR has been opened and over 2 months since my original PR for this. As you can see @asprouse already had to make a few changes to keep it up to date with other serverless changes. Any chance this could be reviewed/merged soon?

[pmuens]

@asprouse @fruffin I'm feeling very sorry and bad about that. This PR was in a good state when I reviewed it.

Thank you for all your time you've put into this one 🥇 (and sorry again for the slow response)...

I'll put this PR in the next milestone v1.6 so that we can get it in an upcoming release soon.

[dougmoscrop]

It would make reviewing this a lot easier if you would rebase your changes instead of merging. Can you do a git pull --rebase [upstream] master and then git push -f [origin] master

(replace upstream/origin with whatever your remotes are)

[asprouse]

@dougmoscrop I just cloned a fresh copy of master and applied the single commit. A lot changes in 2 months 😉 . Hopefully this helps with the review

[pmuens]

@asprouse thanks for rebasing this (and thanks @dougmoscrop for providing a description on how to do this) 👍 💯

I looked into it today and played around with it. I can see the header in the Method Responses in the API Gateway dashboard and furthermore see it in the CloudFormation output.

Could you maybe provide a quick description how this can be validated more thoroughly (with different settings) with a Serverless service (for both integration types)? This would make reviewing this way easier.

Thanks in advance!

[asprouse]

@pmuens The integration type does not matter. Preflight requests are implemented as type MOCK in API Gateway and will be the same regardless of whether you're Lambda Proxy or not. Here are the scenarios that should work properly: (Almost identical to the steps @fruffin provided in his PR)

Scenario 1

• Start a project with a function responding to an API Gateway event
• Enable CORS with the old configuration
• Deploy
• Verify that the preflight request has the Access-Control-Allow-Credentials header set to false

Scenario 2

• Start a project with a function responding to an API Gateway event
• Enable CORS with the old configuration
• Add the allowCredentials configuration element to CORS section of the API Gateway event and set it to true
• Deploy
• Verify that the preflight request has the Access-Control-Allow-Credentials header set to true

Scenario 3

• Start a project with a function responding to an API Gateway event
• Enable CORS with the old configuration
• Add the allowCredentials configuration element to CORS section of the API Gateway event and set it to false
• Deploy
• Verify that the preflight request has the Access-Control-Allow-Credentials header set to false

The unit tests should verify these cases.

[pmuens]

@asprouse thanks for the detailed test cases! Really helped me to test this thoroughly! 👍

I just added two minor comments which tackle the default setup of allowCredentials.

Furthermore it would be great if you could add a short section in the CORS docs for API Gateway so that this feature is documented.

After that it's GTM from my side

For everyone else. Here's the serverless.yml file I used to test this feature:

service: service

provider:
  name: aws
  runtime: nodejs4.3
  cfLogs: true

functions:
  hello:
    handler: handler.hello
    events:
      - http:
          method: GET
          path: hello
          integration: LAMBDA
          cors:
            origins:
              - '*'
            headers:
              - Content-Type
              - X-Amz-Date
              - Authorization
              - X-Api-Key
              - X-Amz-Security-Token
            allowCredentials: false
  goodbye:
    handler: handler.goodbye
    events:
      - http: GET goodbye

And here's a screenshot of the integration response.

[pmuens]

Could we remove this setup so that we test that it defaults to false?

Then we have one test w/o any allowCredentials setup, one which tests if it's set to true and one which tests if it's set to false.

[asprouse]

The code in validate.js applies the default so there is no default logic to test here. compileCors operates on the validated input (see cors.js). I am just following the convention established in the existing code.

[pmuens]

Could we do the same like proposed above (for the other test) and remove this configuration so that we test for the default case (which should set allowCredentials to false).

[asprouse]

This is correct validate should default to false.

[asprouse]

@pmuens I just improved the docs. Should be good let me know if there is anything else.

[pmuens]

Thanks for the updates @asprouse and for the PR in general!

GTM from my side!

[eahefnawy]

@asprouse Thanks for this PR and the thorough validation/testing steps. Couldn't break it! G2M! 💥