Hi everyone, I'm trying to make CORS work on my A...
# help
Hi everyone, I'm trying to make CORS work on my API. I have enabled cors on it and all the routes use AWS_IAM authorization.
Copy code
cors: true,
defaultAuthorizationType: ApiAuthorizationType.AWS_IAM,
The problem is that I need to add a route that calls into a lambda in order to handle the preflight calls.
Copy code
'OPTIONS /{proxy+}': {
          function: 'src/functions/api/options.main',
          authorizationType: ApiAuthorizationType.NONE,
The lambda simply returns the proper headers:
Copy code
return {
    statusCode: 204,
    body: '',
    headers: {
      'Access-Control-Allow-Origin': '*',
      'Access-Control-Allow-Methods': '*',
      'Access-Control-Allow-Headers': '*',
It does work, but I hate the fact that I need to manage my own lambda to do CORS. Anyone here got it working without having to go through all this? I suppose there is a way to add a route to the sst.API without specifying an integration right? (I can do that using the console) Any help would be greatly appreciated.
should not require any CORS whatsoever from routes,
handles this all on it’s own.
I can confirm that my graphql route has no CORS returned and there is no
route anywhere.
Is that route public? aka is there any auth on it?
yes. a JWTAuthorizer.
I see. I had a JWTAuthorizer on it at some point too and it worked. I think it might be related to AWS_IAM auth then
possibly, I have never used it, but it would kind of make sense that you wouldnt be able to have IAM credentials in the browser…thinking that through though…
Well, I am using Cognito through amplify
and using like…an identity pool rather than the JWTs?
i have not heard of a setup like that before. I have things that are similar, but always server-side.
It is a bit new to me too.
Cognito is quite nice for user signups and signins.
I dont know about nice, but it is cheap and does the job, so long as you dont mind crappy docs and inconsistent interfaces. 😅
True that!
They got way better in the last few iterations. Used to be complete crap tbh
well, the documentation
FWIW, I just use the tried and true cognito method, with JWTs, and that works really well with the JWT authorizer. Was a super pain to setup (docs), but once its up, never touched, and I have only had to rip it down and redeploy twice due to Cognito not being able to be configured after the fact (docs misled me).
After this experience, I essentially tried to use the least cognito as I could, and that strategy has done well for me.
That's good advice
Like I said, my API works and users are getting in and all. It's just so surprising to have to implement my own OPTIONS lambda
I will look into JWTs
Last time I tried that (years ago) I couldn't figure out how to grab the cognitoId on the server-side
Its the way all the docs are written, almost nothing uses identity pools. I have some for really weird, non-user facing corner cases, but would not recommend them unless AWS says you have to use them.
I just save all the IDs, issuers, etc into
, then put them into the authorizer directly, and hand in other stuff as environment variables in CDK.
I havent ran into any issues with accessing the stuff I need.
Interesting. I will look into it for sure.