lambda-api icon indicating copy to clipboard operation
lambda-api copied to clipboard

Published 20 hours ago verified publisher icon jeremydaly

CORS pre-flight OPTIONS not working because of lowercase casting

Open NicoPowers opened this issue 2 years ago • 2 comments

Hi all,

I just picked up lambda-api, and seems like its the perfect solution for my project; however, I have been struggling for hours trying to get CORS to work.

My OPTIONS pre-flight request headers are being properly sent, but they're all lower case, and it's causing my web appl running in Google Chrome to not recognize it as Access-Control-Allow-Origin as this is the error I am receiving from it:

Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.

I verified, with postman, that this is the headers coming back from the pre-flight OPTIONS request:

image

However, noticed that they're all lower case, and thus Google Chrome cannot find Access-Control-Allow-Origin

This is how it's getting received in Google Chrome: image

This is how I am providing CORS in my Lambda:

// import AWS Lambda types
import { APIGatewayProxyEventV2, Context } from "aws-lambda";
// import Lambda API default function
import createAPI from "lambda-api";
import { Authorizer, Role } from "./authorizer";
import { ListProducts } from "./products/List";

// instantiate framework
const api = createAPI({});

// ************************************* CORS *************************************
api.options("/*", (req: any, res: any) => {
  // Add CORS headers
  res.header("Access-Control-Allow-Origin", "*");
  res.header("Access-Control-Allow-Methods", "*");
  res.header("Access-Control-Allow-Headers", "Content-Type, Authorization, Content-Length, X-Requested-With");
  res.sendStatus(200);
});

Please suggest a workaround for current version of Chrome.

Thank you!

NicoPowers avatar Aug 28 '23 01:08 NicoPowers

Hey @NicoPowers, sorry for the delayed response.

I've created a PR to resolve this, it's still a WIP but hopefully will get to finishing it during this week or the weekend. Will keep you posted.

naorpeled avatar Sep 03 '23 19:09 naorpeled

@NicoPowers The case of headers cannot be the root cause of the issue you're experiencing, as header names are case-insensitive.

Rather, the 401 status code you're getting suggests that some auth layer is preventing preflight requests from reaching the CORS middleware. In your test with Postman, are you, by any chance, adding some auth token to your spoofed preflight request? Be aware that real preflight requests are never authenticated.

jub0bs avatar Oct 27 '23 10:10 jub0bs