New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Added Access-Control-Allow-Credentials for CORS settings fixes #2182 #2736
Conversation
Thanks a lot for picking this one up @asprouse !!! |
@asprouse and @fruffin thanks for opening this PR! 👍 💯 Looks good from a code design perspective. Haven't tested it thoroughly yet (will do this next up). FYI: Just pushed some minor updates because some docs were accidentally removed. |
@@ -535,6 +535,7 @@ functions: | |||
- Authorization | |||
- X-Api-Key | |||
- X-Amz-Security-Token | |||
allowCredentials: true |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we need more documentation here? Or is this sufficient as it's only a simple config parameter?
/cc @eahefnawy
Shame this missed the 1.3 release, is it on the roadmap for a release soon?? |
Just brought my fork up to date and fixed merge conflicts. @pmuens I think the docs are sufficient. Let me know if there is anything else missing. |
@asprouse @fruffin I'm feeling very sorry and bad about that. This PR was in a good state when I reviewed it. Thank you for all your time you've put into this one 🥇 (and sorry again for the slow response)... I'll put this PR in the next milestone v1.6 so that we can get it in an upcoming release soon. |
It would make reviewing this a lot easier if you would rebase your changes instead of merging. Can you do a (replace upstream/origin with whatever your remotes are) |
@dougmoscrop I just cloned a fresh copy of master and applied the single commit. A lot changes in 2 months 😉 . Hopefully this helps with the review |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@asprouse thanks for rebasing this (and thanks @dougmoscrop for providing a description on how to do this) 👍 💯
I looked into it today and played around with it. I can see the header in the Method Responses in the API Gateway dashboard and furthermore see it in the CloudFormation output.
Could you maybe provide a quick description how this can be validated more thoroughly (with different settings) with a Serverless service (for both integration types)? This would make reviewing this way easier.
Thanks in advance!
@pmuens The integration type does not matter. Preflight requests are implemented as type Scenario 1
Scenario 2
Scenario 3
The unit tests should verify these cases. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@asprouse thanks for the detailed test cases! Really helped me to test this thoroughly! 👍
I just added two minor comments which tackle the default setup of allowCredentials
.
Furthermore it would be great if you could add a short section in the CORS docs for API Gateway so that this feature is documented.
After that it's GTM from my side
For everyone else. Here's the serverless.yml
file I used to test this feature:
service: service
provider:
name: aws
runtime: nodejs4.3
cfLogs: true
functions:
hello:
handler: handler.hello
events:
- http:
method: GET
path: hello
integration: LAMBDA
cors:
origins:
- '*'
headers:
- Content-Type
- X-Amz-Date
- Authorization
- X-Api-Key
- X-Amz-Security-Token
allowCredentials: false
goodbye:
handler: handler.goodbye
events:
- http: GET goodbye
And here's a screenshot of the integration response.
@@ -55,16 +55,19 @@ describe('#compileCors()', () => { | |||
origins: ['*'], | |||
headers: ['*'], | |||
methods: ['OPTIONS', 'PUT'], | |||
allowCredentials: false, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could we remove this setup so that we test that it defaults to false
?
Then we have one test w/o any allowCredentials
setup, one which tests if it's set to true
and one which tests if it's set to false
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The code in validate.js applies the default so there is no default logic to test here. compileCors
operates on the validated input (see cors.js). I am just following the convention established in the existing code.
@@ -401,6 +401,7 @@ describe('#validate()', () => { | |||
headers: ['Content-Type', 'X-Amz-Date', 'Authorization', 'X-Api-Key', 'X-Amz-Security-Token'], | |||
methods: ['OPTIONS', 'POST'], | |||
origins: ['*'], | |||
allowCredentials: false, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could we do the same like proposed above (for the other test) and remove this configuration so that we test for the default case (which should set allowCredentials
to false
).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is correct validate should default to false.
@pmuens I just improved the docs. Should be good let me know if there is anything else. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the updates @asprouse and for the PR in general!
GTM from my side!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@asprouse Thanks for this PR and the thorough validation/testing steps. Couldn't break it! G2M! 💥
What did you implement:
Closes #2182
How did you implement it:
Added an
allowCredentials
(defaults to false) setting to thecors
config which determines whether or notAccess-Control-Allow-Credentials
will be set to true or false in the mock OPTIONS request that is configured by the existingcors
configuration.The original fix was implemented by @fruffin then the codebase changed significantly so I applied the same changes to the new code. I don't mean to step on toes, just trying to lend a helping hand @fruffin deserves most of the credit here.
How can we verify it:
Run unit tests.
Toggle settings in the config and verify the changes are reflected in the CloudFormation template.
Todos:
Is this ready for review?: YES