serverless-offline
serverless-offline copied to clipboard
dherault
API Gateway emulation doesn't remap headers like actual API Gateway
Bug Report
API Gateway has a known issue where request headers get remapped in a case-sensitive way, whereas the HTTP specification notes that headers are case-insensitive. See:
My team discovered this issue when testing our GraphQL API against a deployed instance versus a local instance. In the local instance, we passed the header "authorization" and discovered some code paths relying on the case sensitive naming stopped working locally. However, on the deployed instance, we saw the same header work without fail. We discovered the documentation linked above and found that API Gateway does header remapping which this library does not currently support so the emulation is incorrect.
Current Behavior
- Headers are just passed through as provided by the instance
Expected behavior/code
- Headers are remapped to emulate the AWS API Gateway behavior.
Environment
-
serverlessversion: v1.78.1 -
serverless-offlineversion: v6.5.0 -
node.jsversion: v12.16.2 -
OS: macOS 10.15.5
Possible Solution Remap request headers to emulate the behaviors provided by the API Gateway documentation:
| Header name | Request (http/http_proxy/lambda) | Response (http/http_proxy/lambda) |
|---|---|---|
| Age | Passthrough | Passthrough |
| Accept | Passthrough | Dropped/Passthrough/Passthrough |
| Accept-Charset | Passthrough | Passthrough |
| Accept-Encoding | Passthrough | Passthrough |
| Authorization | Passthrough | Remapped |
| Connection | Passthrough/Passthrough/Dropped | Remapped |
| Content-Encoding | Passthrough/Dropped/Passthrough | Passthrough |
| Content-Length | Passthrough (generated based on body) | Passthrough |
| Content-MD5 | Dropped | Remapped |
| Content-Type | Passthrough | Passthrough |
| Date | Passthrough | Remapped Overwritten |
| Expect | Dropped | Dropped |
| Host | 5XX/5XX/Overwritten by Lambda | Dropped |
| Max-Forwards | Dropped | Remapped |
| Pragma | Passthrough | Passthrough |
| Proxy-Authenticate | Dropped | Dropped |
| Range | Passthrough | Passthrough |
| Referer | Passthrough | Passthrough |
| Server | Dropped | Remapped Overwritten |
| TE | Dropped | Dropped |
| Transfer-Encoding | Dropped/Dropped/Exception | Dropped |
| Trailer | Dropped | Dropped |
| Upgrade | Dropped | Dropped |
| User-Agent | Passthrough | Remapped |
| Via | Dropped/Dropped/Passthrough | Passthrough/Dropped/Dropped |
| Warn | Passthrough | Passthrough |
| WWW-Authenticate | Dropped | Remapped |
Hey @dherault - just wondering why you closed this? Happy if the library is supporting this now or if you're thinking it's not going to be a feature of the library ever, but a reason would be nice regardless. 😉
Hi @dustinsgoodman , I closed any issue without updates in 2022 for maintenance reasons. You can reopen it if you feel the community needs it. cf. https://github.com/dherault/serverless-offline/issues/1373
Thanks @dherault and welcome back! Seems totally reasonable and I appreciate your response. I no longer work with the team that this impacted, but tagging @DuncanLewis to see if my patch is still in place for this and if it would help the team and community at large. I haven't run into this since the issue referenced but it's also been a while since I've had to do something similar.
Got a bit more info on this one. Turns out with authorizers, the Authorization request header gets remapped to authorization. @mimurawil just found this on a recent project. He can post the code since it's open sourced in a bit.