event-gateway-sdk icon indicating copy to clipboard operation
event-gateway-sdk copied to clipboard

Published 20 hours ago verified publisher icon serverless

CORS is getting set for wrong path

Open mpadmaraj opened this issue 6 years ago • 4 comments

I was setting up CORS for my POST endpoint /send/message. Initially I tried with cors:true but what I found was that it was not setting OPTIONS in allowedMethods. So on suggestion by @alexdebrie I used the below configuration:

sendMessage:
    handler: handler.send
    events:
      - eventgateway:
          type: sync
          eventType: http.request
          path: /send/message
          method: POST
          cors:
            origins: 
              - "*"
            methods:
              - GET
              - POST
              - OPTIONS
            headers:
              - Content-Type
              - Authorization
            allowCredentials: true

Now when I hit the config endpoint: curl -X GET https://config.slsgateway.com/v1/spaces/padmaraj-appmail/cors -H 'Authorization: Bearer '

{
  "cors": [
    {
      "space": "padmaraj-appmail",
      "corsId": "POST%2Fpadmaraj-appmail%2Fsend%2Fmessage",
      "method": "POST",
      "path": "/tenant-app/send/message",
      "allowedOrigins": [
        "*"
      ],
      "allowedMethods": [
        "GET",
        "POST",
        "OPTIONS"
      ],
      "allowedHeaders": [
        "Content-Type",
        "Authorization"
      ],
      "allowCredentials": true,
      "metadata": {
        "service": "send-notification",
        "stage": "dev"
      }
    }
  ]
}

the path for which CORS is set is for /tenant-app/send/message while the URL that is configured on the gateway(which I was able to hit to get results) is /send/message. I have 2 questions:

  1. Is there a way to make CORS: true to include OPTIONS method also?
  2. How can tweak the above configuration so that it sets the path without the tenant and the app name? Any help is highly appreciated!

mpadmaraj avatar Jul 19 '18 13:07 mpadmaraj

Hey @mpadmaraj, good questions. Responses below:

  1. The default CORS settings (with cors: true) does not include OPTIONS for now. It's something I'll discuss with @mthenw going forward.

  2. Internally, the Event Gateway includes your space (<tenant>-<app>) in its path. However, it should not affect you when you're actually making HTTP calls. Your tenant and app will be extracted from the subdomain when you make a request to the Event Gateway:

https://padmaraj-appmail.slsgateway.com/send/message --> /padmaraj-appmail/send/message

Let me know if that answers your question. Also, could you revoke the Access Key and generate a new one since it's been posted in this issue?

alexdebrie avatar Jul 19 '18 14:07 alexdebrie

Apologise for posting the key. I have deleted from my comments above and also revoked it. OPTIONS was not getting Access-Control-Allow-Origin header that was the reason I was thinking path could be the issue. I tried to remove and re-deploy couple of times but that did not help.

mpadmaraj avatar Jul 19 '18 16:07 mpadmaraj

No worries, it happens 😄

Are you making an OPTIONS request directly, or doing it as part of the CORS preflight request?

alexdebrie avatar Jul 19 '18 16:07 alexdebrie

I had tried both. First from javascript, tried to POST. Then I tried to hit OPTIONS, from the POSTMAN. This is what is getting printed in browser console Failed to load https://padmaraj-appmail.slsgateway.com/send/message: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://127.0.0.1:5500' is therefore not allowed access. Tried with my local IP but that did not work either.

I then tried POST request from JSFiddle and that worked!

Curious to know what exactly does the CORS filter do and if it has some kind of rules.

For now I will test by pushing this to S3.

mpadmaraj avatar Jul 20 '18 05:07 mpadmaraj