3

I've built a frontend application with Angular which uses an API backend hosted on AWS ECS, provided by AWS Api Gateway.

So, this is my setup:

/user/{userId}/account/{accountId}/dashboard/{proxy+} is the endpoint on API Gateway

it's using an AWS Lambda proxy integration for the OPTIONS method, which currently only checks if the origin is allowed or not to proceed

the GET method instead uses a custom AWS Lambda authorizer within the Method Request part, then it proceeds to the Integration Request part with a VPC Link to the ECS microservice and finally goes back to the Method Response part.

Currently possible HTTP status codes are: 200, 204, 401, 500, 504 and only 204 and 504 are set here (sincerly I don't know if it does something or not)

this is the Node.js Lambda authorizer relevant code:

const UNAUTHORIZED_STRING = "Unauthorized";
exports.handler = (event, context, callback) => {

    /* Preliminar checks here */

    const keyRequiresAuth = xApiKeyRequiresAuth(xApiKey);
    if (keyRequiresAuth) {
        // try validating using cookie
        // uses generatePolicy at the end
        userAuthentication(cookieValue, event, callback);
    } else {
        // Validate using x-api-key
        const generatedPolicy = generatePolicy(xApiKey, 'Allow', event.methodArn);
        callback(null, generatedPolicy);
    }
};

const generatePolicy = (principalId, policyEffect, resource) => {
    const authResponse = {
        principalId: principalId
    };
    if (policyEffect && resource) {
        authResponse.policyDocument = {
            Version: '2012-10-17',
            Statement: [{
                Action: 'execute-api:Invoke',
                Effect: policyEffect,
                Resource: resource
            }]
        };
    }
    return authResponse;
};

Assuming that Microservices are not setting any headers at all, the problem is, while I made it with 401 and 504 status codes by setting them as a default gateway response, how do I manage to return CORS with 204?

IMHO, I think API Gateway has the most complex system to set error responses, but, apart from that, I managed to let it return CORS with a 401 Unauthorized error

Update

I made it with http status 500 aswell, but by setting a default Gateway response

CapitanFindus
  • 1,498
  • 15
  • 26

2 Answers2

1

So, after two days of testing I came out with a solution. I mean, probably I've misunderstood something inside AWS API Gateway, but I saw that my endpoint was actually referencing to a VPC Link which was pointing at my ECS microservice.

Only thing I had to do was update that microservice with CORS response headers, that fixed this issue

CapitanFindus
  • 1,498
  • 15
  • 26
-1

If you're using a proxy integration, setting CORS in API Gateway is not enough. The response from Lambda has to include the headers.

To enable CORS for the Lambda proxy integration, you must add Access-Control-Allow-Origin:domain-name to the output headers. domain-name can be * for any domain name.

source: Set up Lambda proxy integrations

reergymerej
  • 2,371
  • 2
  • 26
  • 32
  • pretty sure this is not true: https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api-cors.html > If you configure CORS for an API, API Gateway automatically sends a response to preflight OPTIONS requests, even if there isn't an OPTIONS route configured for your API. – markmnl Jun 18 '23 at 06:58
  • Perhaps something changed in the last 3 years. The quote above is from the linked docs on AWS. ‍♂️ – reergymerej Jul 06 '23 at 13:24