corsaws-cloudformationaws-api-gatewaypreflightsam
Preflight response 403 forbidden. How can I allow options method without x-api-key?
I'm using SAM to create my API in cloudformation.
I'm getting a 403 FORBIDDEN on my options method (thus also my preflight for my get method).
How can I allow my options method to reply with 200 OK without my x-api-key?
I've tried so many stackoverflow answers but none fit my SAM template format. I've tried all the different combinations of my AllowHeaders. I've ommited the x-api-key - still the same 403 FORBIDDEN.
If I send my x-api-key in postman with my request I get a 200 OK, but in my reactjs application it still gives the same error as below that my preflight does not pass.
Console log response to the get method
Postman response to the options method (preflight testing)
Cloudwatch error
template.yaml
Globals:
Function:
Timeout: 10
Api:
Cors:
AllowMethods: "'DELETE,GET,HEAD,OPTIONS,PATCH,POST,PUT'"
AllowHeaders: "'Content-Type,X-Amz-Date,X-Amz-Security-Token,x-api-key,Authorization,Origin,Host,X-Requested-With,Accept,Access-Control-Allow-Methods,Access-Control-Allow-Origin,Access-Control-Allow-Headers'"
AllowOrigin: "'*'"
Resources:
BSApi:
Type: AWS::Serverless::Api
Properties:
StageName: Prod
Auth:
ApiKeyRequired: true
AddDefaultAuthorizerToCorsPreflight: false
GrondvogFunction:
Type: AWS::Serverless::Function
Properties:
CodeUri: grondvog/
Handler: app.lambdaHandler
Runtime: nodejs12.x
Policies:
- LambdaInvokePolicy: {
'FunctionName': !Ref RDBQueryFunction
}
Environment:
Variables:
"RDBQueryFunctionName": !Ref RDBQueryFunction
Events:
KryGrondvog:
Type: Api
Properties:
RestApiId: !Ref BSApi
Path: /grondvog
Method: get
OptionsGrondvog:
Type: Api
Properties:
RestApiId: !Ref BSApi
Path: /grondvog
Method: options
Lambda function
if (event.httpMethod == 'OPTIONS') {
rekords = {
statusCode: 200,
headers: {
"Access-Control-Allow-Headers": "Content-Type,X-Amz-Date,X-Amz-Security-Token,x-api-key,Authorization,Origin,Host,X-Requested-With,Accept,Access-Control-Allow-Methods,Access-Control-Allow-Origin,Access-Control-Allow-Headers",
"Access-Control-Allow-Origin": "*",
"Access-Control-Allow-Methods": "DELETE,GET,HEAD,OPTIONS,PATCH,POST,PUT",
"X-Requested-With": "*"
},
body: JSON.stringify({ statusText: "OK" })
};
}
Solution
Alright, I found the solution.
I missed the part where I should tell my SAM application that for the options method I must specify that I don't want the api key. I just added the following to each options method:
Auth:
ApiKeyRequired: false
GrondvogFunction:
Type: AWS::Serverless::Function
Properties:
CodeUri: grondvog/
Handler: app.lambdaHandler
Runtime: nodejs12.x
Policies:
- LambdaInvokePolicy: {
'FunctionName': !Ref RDBQueryFunction
}
Environment:
Variables:
"RDBQueryFunctionName": !Ref RDBQueryFunction
Events:
KryGrondvog:
Type: Api
Properties:
RestApiId: !Ref BSApi
Path: /grondvog
Method: get
OptionsGrondvog:
Type: Api
Properties:
RestApiId: !Ref BSApi
Path: /grondvog
Method: options
Auth:
ApiKeyRequired: false
- ASP.NET Core CORS Setup Stops Working After Bicep Deployment
- ASP.NET Core 6 Web API : custom authentication handler and Angular HttpInterceptor [receive Status code =0 for 401 Unauthorized Response]
- Drawing new Image() onto canvas and using canvas.toDataURL()
- Failed to fetch. Possible Reasons: CORS Network Failure URL scheme must be "http" or "https" for CORS request
- Angular 18 CORS issue with Springboot as backend
- How can I enable CORS on Django REST Framework
- How do I fix CORS issue in Fetch API
- I try fetching my data on the server bisically this signup page, I got cors policy error even I got it configure on the server
- How do I resolve a CORS issue in an Ajax POST to ASP.NET Core 6.0 Web API?
- How does the 'Access-Control-Allow-Origin' header work?
- Cors and React with no local server
- Not able to install Microsoft.AspNet.WebApi.Cors from NuGet
- Understanding XMLHttpRequest over CORS (responseText)
- How to solve flutter web api cors error only with dart code?
- Private Network Access problem w/ disabled web security: Request had no target IP address space, yet the resource is in address space local
- SignalR errors in the console even though the requests successfully completed
- Origin header missing on API call outside of network using Azure
- CORS and x-apikey are mutual exclusive?
- Download image blob from Google Photos using JavaScript and REST API
- Origin null is not allowed by Access-Control-Allow-Origin
- How to Solve CORS error in accessing laravel routes
- Origin <origin> is not allowed by Access-Control-Allow-Origin
- Problem with CORS policy in React front end with FastAPI on the back trying to use Microsoft Single Sign-on
- Why the fetch gets failed even when I am using cors dependency?
- Firebase Storage and Access-Control-Allow-Origin
- Spring Boot Restful Service and CORS problem
- Background-image in CSS url blocked by Opaque Response Blocking
- Stripe Checkout example running into CORS error from localhost
- How to disable CORS policy for special routes in Node.js/Express server?
- Cors error persists no matter what I try with server