Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
fix: AwsSolutions-APIG4 triggers for CORS preflight endpoints (#1816)
Fixes #1815. Currently this PR just marks all `OPTIONS` methods as compliant. I'm not sure the best way to narrow this down to specifically CORS preflight endpoints. We could try and match the template that CDK generates through its `addCorsPreflight` method, but that won't include any custom preflight endpoints which people may be using, and any changes to the CDK template may break our checks here. I took a look at the [MDN docs for the `OPTIONS` method](https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods/OPTIONS), and it seems like it has limited use cases outside of CORS. Perhaps we can mark them all as compliant? Here is the CloudFormation CfnMethod template which CDK generates when using the following code: ```typescript new apigateway.RestApi(this, 'TestRestApi', { restApiName: 'Test', defaultCorsPreflightOptions: { allowOrigins: apigateway.Cors.ALL_ORIGINS, }, }); ``` ```json { "apiKeyRequired": false, "authorizationType": "NONE", "httpMethod": "OPTIONS", "integration": { "type": "MOCK", "requestTemplates": { "application/json": "{ statusCode: 200 }" }, "integrationResponses": [ { "statusCode": "204", "responseParameters": { "method.response.header.Access-Control-Allow-Headers": "'Content-Type,X-Amz-Date,Authorization,X-Api-Key,X-Amz-Security-Token,X-Amz-User-Agent'", "method.response.header.Access-Control-Allow-Origin": "'*'", "method.response.header.Access-Control-Allow-Methods": "'OPTIONS,GET,PUT,POST,DELETE,PATCH,HEAD'" } } ] }, "methodResponses": [ { "statusCode": "204", "responseParameters": { "method.response.header.Access-Control-Allow-Headers": true, "method.response.header.Access-Control-Allow-Origin": true, "method.response.header.Access-Control-Allow-Methods": true } } ], "resourceId": { "Fn::GetAtt": ["Test", "RootResourceId"] }, "restApiId": { "Ref": "Test" } } ```
- Loading branch information