Chalice: Authorized routes with CORs

Created on 30 Oct 2019 · 7Comments · Source: aws/chalice

First off, thank you for creating and maintaining this library! It has been a real joy to use.

The issue I'm having is there doesn't seem to be an easy way to create an unauthenticated CORs preflight route for an authenticated route, e.g. if you create a route with the following:

@app.route('/', authorizer=authorizer, cors=True)
def index():
    pass

You end up having an authenticated CORs preflight route—this doesn't seem like very good practice, or at least it's not very ergonomic when writing a frontend to talk to this API.

The only work around I've found to support unauthenticated preflight OPTIONS routes on authenticated routes is to create my own OPTIONS routes and respond to the preflight requests manually.

To make this a little more bearable, I created a utility function to automate this process a bit:

def create_cors_routes(app, route, methods=['GET']):
    def cors_route(*args, **kwargs):
        request = app.current_request
        headers = {
            'Access-Control-Allow-Method': ','.join(methods),
            'Access-Control-Allow-Origin': ','.join(ALLOWED_ORIGINS),
            'Access-Control-Allow-Headers': 'Content-Type,X-Amz-Date,Authorization,X-Api-Key,X-Amz-Security-Token'
        }
        origin = request.headers.get('origin', '')
        if origin in ALLOWED_ORIGINS:
            headers.update({ 'Access-Control-Allow-Origin': origin })
        return Response(
            body=None,
            headers=headers
        )
    app.route(route, methods=['OPTIONS'])(cors_route)

Once the utility function is in place, it can be used like the following:

create_cors_routes(app, '/resource', methods=['GET', 'POST'])
create_cors_routes(
    app,
    '/resource/{id}',
    methods=['GET', 'PUT', 'PATCH', 'DELETE']
)

Is there a better way to do this / can the CORSConfig be extended to allow for unauthenticated preflight routes?

feature-request

Source

MichaelBoselowitz

👍1

Most helpful comment

Is there any update on this?

It seems more like a bug (or at least an oversight) than a feature request. I really want to use Chalice for its elegance and access to the AWS ecosystem, but I NEED the ability build endpoints that require authentication and allows CORS access.

ToddKingham on 22 Mar 2021

👍3

All 7 comments

The above example will work (to some extent), but when working with the API via the browser CORs headers must also be returned from all requests. Browsing through the Chalice codebase there doesn't seem to be an obvious way to be able to send CORs headers under all of the following conditions:

OPTIONS preflight requests—especially on otherwise authorized routes.
Returning CORs headers on regular route execution.
Returning CORs headers on authorization error (before it gets to the route) or other manually raised errors.

MichaelBoselowitz on 31 Oct 2019

Yep you are correct there is no support for that at the moment.

stealthycoin on 12 Nov 2019

any update about this please ?

tahayk on 5 May 2020

Unfortunately I did not come up with a good workaround for this. I had to abandon this approach altogether.

Luckily, my environment was flexible enough that I could quickly solve this by using the same CloudFront instance to serve the front end and the API—they’re under the same domain so no CORs issues. Not a very suitable workaround for most, but I couldn’t find a suitable in-framework workaround.

MichaelBoselowitz on 5 May 2020

Any updates on this?

Zuiluj on 28 Aug 2020

👀2

@MichaelBoselowitz Thanks for your issue description. I've the same issue at the moment. Do you use your workaround without an extra lambda auth function?

@stealthycoin Does the feature request still exist and is it realistic that it will be processed?