Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CORS pre-flight OPTIONS not working because of lowercase casting #245

Open
NicoPowers opened this issue Aug 28, 2023 · 2 comments
Open

CORS pre-flight OPTIONS not working because of lowercase casting #245

NicoPowers opened this issue Aug 28, 2023 · 2 comments

Comments

@NicoPowers
Copy link

NicoPowers commented Aug 28, 2023
edited
Loading

Hi all,

I just picked up lambda-api, and seems like its the perfect solution for my project; however, I have been struggling for hours trying to get CORS to work.

My OPTIONS pre-flight request headers are being properly sent, but they're all lower case, and it's causing my web appl running in Google Chrome to not recognize it as Access-Control-Allow-Origin as this is the error I am receiving from it:

Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.

I verified, with postman, that this is the headers coming back from the pre-flight OPTIONS request:

image

However, noticed that they're all lower case, and thus Google Chrome cannot find Access-Control-Allow-Origin

This is how it's getting received in Google Chrome:
image

This is how I am providing CORS in my Lambda:

// import AWS Lambda types
import { APIGatewayProxyEventV2, Context } from "aws-lambda";
// import Lambda API default function
import createAPI from "lambda-api";
import { Authorizer, Role } from "./authorizer";
import { ListProducts } from "./products/List";

// instantiate framework
const api = createAPI({});

// ************************************* CORS *************************************
api.options("/*", (req: any, res: any) => {
  // Add CORS headers
  res.header("Access-Control-Allow-Origin", "*");
  res.header("Access-Control-Allow-Methods", "*");
  res.header("Access-Control-Allow-Headers", "Content-Type, Authorization, Content-Length, X-Requested-With");
  res.sendStatus(200);
});

Please suggest a workaround for current version of Chrome.

Thank you!
@naorpeled
Copy link
Collaborator

naorpeled commented Sep 3, 2023
edited
Loading

Hey @NicoPowers,
sorry for the delayed response.

I've created a PR to resolve this,
it's still a WIP but hopefully will get to finishing it during this week or the weekend.
Will keep you posted.

@jub0bs
Copy link

jub0bs commented Oct 27, 2023
edited
Loading

@NicoPowers The case of headers cannot be the root cause of the issue you're experiencing, as header names are case-insensitive.

Rather, the 401 status code you're getting suggests that some auth layer is preventing preflight requests from reaching the CORS middleware. In your test with Postman, are you, by any chance, adding some auth token to your spoofed preflight request? Be aware that real preflight requests are never authenticated.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@naorpeled @NicoPowers @jub0bs