0

After implementing an api gateway in front of my app engine instances I got a problem stating that the request was blocked because of the CORS header. After searching online I found out that API gateway doesn't provide a way to set the CORS policy, however it also "overwrite" the header sent by my single back-end application. Does I need to implement a load balancer to set an additional Header or there is a way to avoid the overwrite?

Example of API:

paths:
  "/login":
    post:
      description: "Login into the service"
      operationId: "login"
      x-google-backend:
        address: https://project-id.oa.r.appspot.com/api/v1/login
      produces:
      - "application/json"
      responses:
        200:
          description: "Projects retrieved successfully"
          schema:
            $ref: "#/definitions/access_token"
        401:
          description: "Wrong password"
          schema:
            type: "string"
        404:
          description: "User not exists"
          schema:
            type: "string"
      parameters:
      - in: body
        name: user
        description: The user to create.
        schema:
          type: object
          required:
            - userName
          properties:
            userName:
              type: string
            firstName:
              type: string
            lastName:
              type: string
Jofre
  • 3,718
  • 1
  • 23
  • 31
AndreaCostanzo1
  • 1,799
  • 1
  • 12
  • 30

1 Answers1

2

After a lot of trials, I found a simpler solution than implementing a load balancer in front of the gateway:

To use the CORS headers provided by the back-end application it is enough to add a OPTIONS request to the API to avoid headers being overwritten. So, given the login API I just need to add the request like this:

paths:
  "/login":
    post:
      description: "Login into the service"
      operationId: "login"
      x-google-backend:
        address: https://project-id.oa.r.appspot.com/api/v1/login
      produces:
      - "application/json"
      responses:
        200:
          description: "Projects retrieved successfully"
          schema:
            $ref: "#/definitions/access_token"
        401:
          description: "Wrong password"
          schema:
            type: "string"
        404:
          description: "User not exists"
          schema:
            type: "string"
      parameters:
      - in: body
        name: user
        description: The user to create.
        schema:
          type: object
          required:
            - userName
          properties:
            userName:
              type: string
            firstName:
              type: string
            lastName:
              type: string
    options:
      description: "Cors associated request to login"
      operationId: "login cors"
      x-google-backend:
        address: https://project-id.oa.r.appspot.com/api/v1/login
      responses:
        200:
          description: "Allow"
        401:
          description: "Cors not allowed"
Jofre
  • 3,718
  • 1
  • 23
  • 31
AndreaCostanzo1
  • 1,799
  • 1
  • 12
  • 30
  • 1
    Great solution, works like a charm! One extra addition for the people that need to bypass the CORS via GET request instead of POST. Make sure to also add your parameters in the options structure. Else the yaml won't be valid – Robert Dec 28 '21 at 10:21