http-cors: allow Access-Control-Request-Method to be used

[mdesousa]

Consider a situation where you have routes where the GET method should be allowed from anywhere, but POST, PUT, DELETE should only be allowed for certain origins.

// handlers implemented: create(), get(), filter()...

const anyOrigin = cors({ origin: '*' });

const routes: Routes = [
  {
    method: 'GET',
    path: '/data',
    handler: middy().use(anyOrigin).handler(filter),
  },
  {
    method: 'GET',
    path: '/data/{id}',
    handler: middy().use(anyOrigin).handler(get),
  },
  {
    method: 'POST',
    path: '/data/{id}',
    handler: create,
  },
];

this is great and very easy 👍 but you also need to implement the handling of pre-flight request. you can add one more route:

  {
    method: 'OPTIONS',
    path: '/data/{proxy+}',
    handler: middy()
      .use(anyOrigin) // TODO: only if Access-Control-Request-Method is GET
      .handler(async () => ''),
  },

this allows the preflight request to allow any origin for all methods. ideally the cors options should have a requestMethods option with a list of methods. these can be used during preflight to only apply cors if the requested method is in the provided list.

[willfarrell]

This middleware does support requestMethods...

https://middy.js.org/docs/middlewares/http-cors

[mdesousa]

hi @willfarrell , yeah saw it mentioned in the documentation... but couldn't find it in the source code 🤔
i figured that the documentation must be outdated. also, the documentation says "value to put in Access-Control-Request-Methods"... but that's an incorrect header...

• Access-Control-Request-Method is a header in the preflight request that specifies the method to be called
• Access-Control-Allow-Methods is a header in the response, specifying allowed methods

this issue is about supporting Access-Control-Request-Method...

[willfarrell]

How about that. I found this commit (eaa4f21) which states Remove options (requestHeaders, requestMethods) to set request headers that are unused by the browser. I'm not sure why I wrote that at the time, I recall there was a little more to this one (maybe security related), but can't remember right now.

[blablabla1234678]

@mdesousa Correct me if I am wrong, but afaik. preflight does not happen with GET and POST requests. In my experience it happens only by PUT, PATCH, DELETE requests.
To be more precise it depends on whether we are talking about simple requests: https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/CORS#simple_requests

[mdesousa]

right, this is for non-simple requests @blablabla1234678