New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Pass allowCredentials directive to method and integration response (#7575) #7576
Pass allowCredentials directive to method and integration response (#7575) #7576
Conversation
@ThomasAribart what cookies does the browser need access to and why? |
@BenEllerby I'm using cross-domain authenticated HTTP requests from a client (front-end) to a private API, with an authentication bearer token provided in the Authorization header (no cookie). It is not the cookie but the request response that is blocked from the browser: "When a request's credentials mode is include, browsers will only expose the response to frontend JavaScript code if the Access-Control-Allow-Credentials value is true. For a CORS request with credentials, in order for browsers to expose the response to frontend JavaScript code, both the server (using the Access-Control-Allow-Credentials header) and the client (by setting the credentials mode for the XHR, Fetch, or Ajax request) must indicate that they’re opting in to including credentials." Source: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@ThomasAribart thanks for this fix! Please minor suggestions I proposed, and we'll be happy to take it
_.merge(integrationResponseHeaders, { | ||
'Access-Control-Allow-Credentials': `'${http.cors.allowCredentials}'`, | ||
}); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Let's use plain JavaScript, and literally assign "true"
, as it's a boolean value
integrationResponseHeaders['Access-Control-Allow-Credentials'] = "true"
Additionally it'll be good to have some regression test, or even integration test. e.g. we have one that confirms on CORS in HTTP API integration: serverless/tests/integration-all/http-api/tests.js Lines 155 to 164 in 2e56dea
We may add similar one when testing API Gateway: https://github.com/serverless/serverless/blob/2e56dea5652540cf5d82c9d35a999c8c921fa020/tests/integration-all/api-gateway/tests.js |
Thanks @medikoo I took your feedbacks ! Let me know if it's okay for you 👍 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@ThomasAribart great thanks for update! We're nearly there, please see my few style improvement suggestions
_.merge(integrationResponseHeaders, { | ||
'Access-Control-Allow-Credentials': "'true'", | ||
}); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Let's use plain JS as:
integrationResponseHeaders['Access-Control-Allow-Credentials'] = 'true'
_.merge(methodResponseHeaders, { | ||
'Access-Control-Allow-Credentials': "'true'", | ||
}); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same here
// Only set Access-Control-Allow-Credentials when explicitly allowed (omit if false) | ||
if (http.cors.allowCredentials) { | ||
_.merge(integrationResponseHeaders, { | ||
'Access-Control-Allow-Credentials': "'true'", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
While by spec, any value makes it truthy, let's setup header without quotes so 'true'
and not "'true'"
@medikoo Done 👌 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you @ThomasAribart !
What did you implement
Closes #7575
Pass down
allowCredentials
directive to method and integration responses: Enable browsers to read the request subsequent to the OPTIONS request without having to additionally specify theAccess-Control-Allow-Credentials
header.How can we verify it
The
Access-Control-Allow-Credentials
header should be configured in the method and integration responses.Inside a browser, the same header should be present in the responses, not only to the preflight request but also to the subsequent request.
Todos
Useful Scripts
npm run test:ci
--> Run all validation checks on proposed changesnpm run lint:updated
--> Lint all the updated filesnpm run lint:fix
--> Automatically fix lint problems (if possible)npm run prettier-check:updated
--> Check if updated files adhere to Prettier confignpm run prettify:updated
--> Prettify all the updated filesIs this ready for review?: YES
Is it a breaking change?: NO