Added CORS support for ALB requests

dherault · Aug 22, 2022 · 1c499be · 1c499be
1 parent 08059d0
commit 1c499be
Showing 1 changed file with 97 additions and 1 deletion.
diff --git a/src/events/alb/HttpServer.js b/src/events/alb/HttpServer.js
@@ -2,11 +2,16 @@ import { exit } from 'node:process'
 import { Buffer } from 'buffer'
 import { Server } from '@hapi/hapi'
 import { log } from '@serverless/utils/log.js'
-import { detectEncoding, generateAlbHapiPath } from '../../utils/index.js'
+import {
+  detectEncoding,
+  generateAlbHapiPath,
+  getHttpApiCorsConfig,
+} from '../../utils/index.js'
 import LambdaAlbRequestEvent from './lambda-events/LambdaAlbRequestEvent.js'
 import logRoutes from '../../utils/logRoutes.js'
 
 const { stringify } = JSON
+const { entries } = Object
 
 export default class HttpServer {
   #lambda = null
@@ -39,6 +44,97 @@ export default class HttpServer {
     }
 
     this.#server = new Server(serverOptions)
+
+    this.#server.ext('onPreResponse', (request, h) => {
+      if (request.headers.origin) {
+        const response = request.response.isBoom
+          ? request.response.output
+          : request.response
+
+        const explicitlySetHeaders = {
+          ...response.headers,
+        }
+
+        if (
+          this.#serverless.service.provider.httpApi &&
+          this.#serverless.service.provider.httpApi.cors
+        ) {
+          const httpApiCors = getHttpApiCorsConfig(
+            this.#serverless.service.provider.httpApi.cors,
+            this,
+          )
+
+          if (request.method === 'options') {
+            response.statusCode = 204
+            const allowAllOrigins =
+              httpApiCors.allowedOrigins.length === 1 &&
+              httpApiCors.allowedOrigins[0] === '*'
+            if (
+              !allowAllOrigins &&
+              !httpApiCors.allowedOrigins.includes(request.headers.origin)
+            ) {
+              return h.continue
+            }
+          }
+
+          response.headers['access-control-allow-origin'] =
+            request.headers.origin
+          if (httpApiCors.allowCredentials) {
+            response.headers['access-control-allow-credentials'] = 'true'
+          }
+          if (httpApiCors.maxAge) {
+            response.headers['access-control-max-age'] = httpApiCors.maxAge
+          }
+          if (httpApiCors.exposedResponseHeaders) {
+            response.headers['access-control-expose-headers'] =
+              httpApiCors.exposedResponseHeaders.join(',')
+          }
+          if (httpApiCors.allowedMethods) {
+            response.headers['access-control-allow-methods'] =
+              httpApiCors.allowedMethods.join(',')
+          }
+          if (httpApiCors.allowedHeaders) {
+            response.headers['access-control-allow-headers'] =
+              httpApiCors.allowedHeaders.join(',')
+          }
+        } else {
+          response.headers['access-control-allow-origin'] =
+            request.headers.origin
+          response.headers['access-control-allow-credentials'] = 'true'
+
+          if (request.method === 'options') {
+            response.statusCode = 200
+
+            if (request.headers['access-control-expose-headers']) {
+              response.headers['access-control-expose-headers'] =
+                request.headers['access-control-expose-headers']
+            } else {
+              response.headers['access-control-expose-headers'] =
+                'content-type, content-length, etag'
+            }
+            response.headers['access-control-max-age'] = 60 * 10
+
+            if (request.headers['access-control-request-headers']) {
+              response.headers['access-control-allow-headers'] =
+                request.headers['access-control-request-headers']
+            }
+
+            if (request.headers['access-control-request-method']) {
+              response.headers['access-control-allow-methods'] =
+                request.headers['access-control-request-method']
+            }
+          }
+
+          // Override default headers with headers that have been explicitly set
+          entries(explicitlySetHeaders).forEach(([key, value]) => {
+            if (value) {
+              response.headers[key] = value
+            }
+          })
+        }
+      }
+      return h.continue
+    })
   }
 
   async start() {