AWS API Gateway CORS ok for OPTIONS, fail for POST

 

I've looked at the other related questions on SO but this seems different. In fact, my question is very similar to this one, except I don't have the 400 status issue.

The set up:

  • lambda function through API Gateway
  • Authorization: None, API KEY Required: false

  • deploying to stage: test

  • 1 resource, 1 POST method integrating the lambda.

  • Calling the POST endpoint directly eg with curl always returns 200 (with/without payload, bad payload, etc.) - so that's different from the referenced question.

    • I've used the "Enable CORS" option - I've tried applying this option on both the resource, and the POST request (and deploying the API afterwards).

    In API GW, I can see Access-Control-Allow-Origin listed in 200 Response Headers under POST method - Method Response area.

    Result: Calling the endpoint from client code in Chrome, OPTIONS passes but POST fails due to missing Access-Control-Allow-Origin header.

    In curl: OPTIONS call 

    curl -X OPTIONS -H "Access-Control-Request-Method: POST" 
     -H "Access-Control-Request-Headers: Content-Type" 
     -H "Origin: http://example.com" --verbose <endpoint>

    the response is: 

    < HTTP/1.1 200 OK
< Content-Type: application/json
...
< Access-Control-Allow-Headers: Content-Type,X-Amz-Date,Authorization,X-Api-Key,X-Amz-Security-Token
< Access-Control-Allow-Methods: POST,OPTIONS
< Access-Control-Allow-Origin: *
...

    but with POST: 

    curl -X POST -d '{}' -H "Content-Type: application/json" 
     -H "Origin: http://example.com" --verbose <endpoint>

    it returns: 

    < HTTP/1.1 200 OK
< Content-Type: application/json
...

    and the response json body - but no Access- anything header.

    What else can I check?

    The problem has been that the API gateway has called my lambda function using the "Lambda Proxy Integration" option checked.

    I believe this is activated by default when adding a API gateway trigger to a newly created lambda function.

    When inside the API Gateway - Resource - Method view, the "Integration Response" box is greyed out and it seems there's no way (even for the Enable CORS function) to add a Access-Control-Allow-Origin header there, which according to @Abhigna_Nagaraja is required.

    Solution: If using "Lambda Proxy Integration", add the 'Access-Control-Allow-Origin': '*' header to your lambda function.

    Even better: in the same view - Integration Request, turn off "Lambda Proxy Integration" and Enable CORS again (deploy afterwards).

    (Then, in the callback, you'll have to return just the payload json instead of the { statusCode, headers, body } object.)

    Update :

    Some useful reads if you're unsure whether to return request response status information in http status codes or in the json payload:

    http status vs json status

    json status standards

    'Enable CORS' option is a convenient tool that sets up all the integration/method response header mappings. If you clicked 'Enable CORS' and then added a new resource, it won't have the required settings. You can either click 'Enable CORS' again or you can manually set it up as

  • Add 'Access-Control-Allow-Origin' Method Response Header to POST method
  • Add 'Access-Control-Allow-Origin' Integration Response Header Mapping to POST method

    • Also, don't forget to deploy the API before testing the changes with curl.

    链接地址: http://www.djcxy.com/p/48064.html

    上一篇: AngularJS数据结构:客户端还是API?

    下一篇: 对于OPTIONS,AWS API网关CORS正常,POST失败