https://serverless-stack.com/ logo
Join Slack
Powered by
Hi everyone, I'm trying to make CORS work on my A...
# help
a
Hi everyone, I'm trying to make CORS work on my API. I have enabled cors on it and all the routes use AWS_IAM authorization.
Copy code
cors: true,
defaultAuthorizationType: ApiAuthorizationType.AWS_IAM,
The problem is that I need to add a route that calls into a lambda in order to handle the preflight calls.
Copy code
'OPTIONS /{proxy+}': {
          function: 'src/functions/api/options.main',
          authorizationType: ApiAuthorizationType.NONE,
        },
The lambda simply returns the proper headers:
Copy code
return {
    statusCode: 204,
    body: '',
    headers: {
      'Access-Control-Allow-Origin': '*',
      'Access-Control-Allow-Methods': '*',
      'Access-Control-Allow-Headers': '*',
    },
  };
It does work, but I hate the fact that I need to manage my own lambda to do CORS. Anyone here got it working without having to go through all this? I suppose there is a way to add a route to the sst.API without specifying an integration right? (I can do that using the console) Any help would be greatly appreciated.
d
sst.API
should not require any CORS whatsoever from routes, 
HTTP API
handles this all on it’s own.
I can confirm that my graphql route has no CORS returned and there is no 
OPTIONS
route anywhere.
a
Is that route public? aka is there any auth on it?
d
yes. a JWTAuthorizer.
a
I see. I had a JWTAuthorizer on it at some point too and it worked. I think it might be related to AWS_IAM auth then
d
possibly, I have never used it, but it would kind of make sense that you wouldnt be able to have IAM credentials in the browser…thinking that through though…
a
Well, I am using Cognito through amplify
d
and using like…an identity pool rather than the JWTs?
a
exactly
d
i have not heard of a setup like that before. I have things that are similar, but always server-side.
a
It is a bit new to me too.
Cognito is quite nice for user signups and signins.
d
I dont know about nice, but it is cheap and does the job, so long as you dont mind crappy docs and inconsistent interfaces. 😅
a
True that!
They got way better in the last few iterations. Used to be complete crap tbh
well, the documentation
d
FWIW, I just use the tried and true cognito method, with JWTs, and that works really well with the JWT authorizer. Was a super pain to setup (docs), but once its up, never touched, and I have only had to rip it down and redeploy twice due to Cognito not being able to be configured after the fact (docs misled me).
After this experience, I essentially tried to use the least cognito as I could, and that strategy has done well for me.
a
That's good advice
Like I said, my API works and users are getting in and all. It's just so surprising to have to implement my own OPTIONS lambda
I will look into JWTs
Last time I tried that (years ago) I couldn't figure out how to grab the cognitoId on the server-side
d
Its the way all the docs are written, almost nothing uses identity pools. I have some for really weird, non-user facing corner cases, but would not recommend them unless AWS says you have to use them.
I just save all the IDs, issuers, etc into 
SSM
, then put them into the authorizer directly, and hand in other stuff as environment variables in CDK.
I havent ran into any issues with accessing the stuff I need.
a
Interesting. I will look into it for sure.
Open in Slack
PreviousNext
Powered by