Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: support api gateway and path based CORS #305

Merged
merged 2 commits into from
Mar 1, 2023
Merged

feat: support api gateway and path based CORS #305

merged 2 commits into from
Mar 1, 2023

Conversation

thantos
Copy link
Contributor

@thantos thantos commented Mar 1, 2023

Advanced and tested CORS support!

Option 1 - Infra Config

Uses API Gateway's CORS configuration and the command worker to handler CORS. APIg adds the CORS headers to any response that matches the configuration (headers, methods, etc) and the $default path returns a 204 response on OPTIONS.

No middleware required, no response headers required, same behavior for ALL paths.

new Service(..., {
        cors: {
          allowHeaders: ["authorization", "content-type"],
          // TODO: Change this for prod!
          allowOrigins: ["*"],
          allowMethods: [CorsHttpMethod.ANY],
        },
})

Option 2 - Custom

Uses a command and the router to handler CORS. Requires the commands to return CORS headers manually or via a middleware. Requires the OPTIONS path(s) to be implemented. Allows for customization and dynamic behavior beyond the API level which API gateway allows for.

// Middleware

export async function cors<In>({
  next,
  context,
}: MiddlewareInput<In>): Promise<MiddlewareOutput<In>> {
  const response = await next(context);
   // change for prod!!
  response.headers.set("Access-Control-Allow-Origin", "*");
  response.headers.set(
    "Access-Control-Allow-Headers",
    "Authorization,Content-Type"
  );
  return response;
}

// options command
// the "*" path is turned into a /{proxy+}
cors.options("*", () => return new HttpResponse(undefined, { status: 204 })); // or 200

// any command or path
cors.command(...)
cors.get(...)

@thantos thantos requested a review from sam-goodwin March 1, 2023 18:46
sam-goodwin
sam-goodwin approved these changes Mar 1, 2023
View reviewed changes
Copy link
Owner

@sam-goodwin sam-goodwin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't see the cors middleware in here?

packages/@eventual/aws-cdk/src/command-service.ts
export interface CommandsProps<Service = any> extends ServiceConstructProps {
activityService: ActivityService<Service>;
overrides?: CommandProps<Service>;
eventService: EventService;
workflowService: WorkflowService;
cors?: CorsOptions;
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we allow this to be configured per command also?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe later, but API Gateway http doesn't support that. The "custom" approach which doesn't use the infra config would support per operation.

packages/@eventual/aws-cdk/src/command-service.ts
path: command.path,
// itty router supports paths in the form /*, but api gateway expects them in the form /{proxy+}
path:
command.path === "*"
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this fragile? What about /abc/*

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thats fine, would become /abc/{proxy+}

packages/@eventual/core-runtime/src/handlers/command-worker.ts Outdated
Comment on lines 53 to 57
if (request.method === "OPTIONS") {
return new HttpResponse(undefined, {
status: 204,
});
}
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why 204? A comment would help

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added

              // CORS expects a 204 or 200, using 204 to match API Gateway
              // and accurately reflect NO CONTENT

@thantos thantos mentioned this pull request Mar 1, 2023
Merged
@thantos thantos merged commit 399f173 into main Mar 1, 2023
@thantos thantos deleted the sussman/feat/cors branch March 1, 2023 20:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sam-goodwin sam-goodwin sam-goodwin approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@thantos @sam-goodwin