Serverless-offline: Response CORS headers ignored for httpApi
Bug Report
Current Behavior
Running serverless offline --corsAllowOrigin example.com does not affect the actual CORS returned. Neither does settings the header in the response using
headers: {
"Access-Control-Allow-Origin": "example.com",
}
The response does contain some default CORS headers so it seems, but are always the same and I can't seem to adjust them.
Sample Code
- file: serverless.yml
service:
name: sample-proxy
frameworkVersion: "^1.71.3"
plugins:
- serverless-webpack
- serverless-plugin-warmup
- serverless-dynamodb-local
- serverless-offline
package:
individually: true
provider:
name: aws
runtime: nodejs12.x
custom:
webpack:
webpackConfig: ./webpack.config.js
includeModules: true
serverless-offline:
noPrependStageInUrl: true
useChildProcesses: true
httpsProtocol: ssl
functions:
cors:
handler: functions/cors/index.handler
events:
- httpApi:
method: options
path: /{catchall+}
generalGet:
handler: functions/general/index.handler
events:
- httpApi:
method: get
path: /auth
- file: handler.js
export const handler = async () => {
return {
headers: {
"Access-Control-Allow-Origin": "example.com",
},
};
};
Expected behavior/code
Calling OPTIONS on any path should return the CORS that I returned from its handler (or the CORS that were set using the CLI).
Environment
serverlessversion: 1.71.3serverless-offlineversion: 6.1.7node.jsversion: 12.9.0OS: Windows 10
Possible Solution
I found this:
https://github.com/dherault/serverless-offline/blob/master/src/events/http/HttpServer.js#L80
I'm not sure what the logic here was and why this was added when the Origin header is present? Shouldn't it still check if CORS should be answered?
Additional context/Screenshots
/
Vluf
All 9 comments
@Vluf, I've managed to replicate the missing Access-Control-Allow-Origin header with the below setup:
module.exports.hello = async (event, context) => {
return {
headers: {
"Access-Control-Allow-Origin": "example.com",
},
};
};
serverless.yml
generalGet:
handler: handler.hello
events:
- httpApi:
method: get
path: /auth
cors: true
The header does not appear anytime cors property is set. However when I removed cors the header got sent properly. Have you tried removing cors?
chardos
on 3 Jun 2020
@chardos I do not have the cors property set in my configuration file :/
Have you tried submitting an OPTIONS request to your examble lambda function with an origin header included?
It should ignore your returned headers (which is a bug).
The code below is responsible for this.
https://github.com/dherault/serverless-offline/blob/master/src/events/http/HttpServer.js#L80
Vluf
on 3 Jun 2020
Maybe I'm not fully understanding the issue. Would you have time for a zoom call to take me through it?
chardos
on 3 Jun 2020
I managed to receive this response
by returning this in the lambda
headers: {
"Access-Control-Allow-Origin": "example.com2",
},
Yes I'm available to walk you through it if desired.
In the Postman screenshot above, are you setting an origin http header?
Vluf
on 3 Jun 2020
I've started a meeting here: https://us04web.zoom.us/j/78642367082?pwd=Lzk4RXQzZ21JYmhhNlR3ZWYxbjdlUT09
chardos
on 3 Jun 2020
@Vluf I'm going to have to look at it more tomorrow. Due to references being passed around (see below), a neat override at the end didn't work as intended.
const response = request.response.isBoom
? request.response.output
: request.response
Hey @Vluf, got a partial fix for you.
It will now work if you set the headers in the lambda, but setting it with serverless offline --corsAllowOrigin example.com will not.
I'll have to look for a fix for the latter.
chardos
on 4 Jun 2020
@chardos Awesome, this indeed solves the issue when using headers set in the Lambda response!
Vluf
on 4 Jun 2020
Related issues
adambiggs
路
4Comments
aldofunes
路
3Comments
MEGApixel23
路
4Comments
jormaechea
路
4Comments
stunningpixels
路
3Comments
Most helpful comment
Yes I'm available to walk you through it if desired.
In the Postman screenshot above, are you setting an origin http header?