Search code examples
apigoogle-cloud-platformgoogle-cloud-api-gateway

Google API gateway Cors Headers Use options request

After implementing an api gateway in front of my app engine instances I got a problem stating that the request was blocked because of the CORS header. After searching online I found out that API gateway doesn't provide a way to set the CORS policy, however it also "overwrite" the header sent by my single back-end application. Does I need to implement a load balancer to set an additional Header or there is a way to avoid the overwrite?

Example of API:

paths:
  "/login":
    post:
      description: "Login into the service"
      operationId: "login"
      x-google-backend:
        address: https://project-id.oa.r.appspot.com/api/v1/login
      produces:
      - "application/json"
      responses:
        200:
          description: "Projects retrieved successfully"
          schema:
            $ref: "#/definitions/access_token"
        401:
          description: "Wrong password"
          schema:
            type: "string"
        404:
          description: "User not exists"
          schema:
            type: "string"
      parameters:
      - in: body
        name: user
        description: The user to create.
        schema:
          type: object
          required:
            - userName
          properties:
            userName:
              type: string
            firstName:
              type: string
            lastName:
              type: string
Solution

  • After a lot of trials, I found a simpler solution than implementing a load balancer in front of the gateway:

    To use the CORS headers provided by the back-end application it is enough to add a OPTIONS request to the API to avoid headers being overwritten. So, given the login API I just need to add the request like this:

    paths:
  "/login":
    post:
      description: "Login into the service"
      operationId: "login"
      x-google-backend:
        address: https://project-id.oa.r.appspot.com/api/v1/login
      produces:
      - "application/json"
      responses:
        200:
          description: "Projects retrieved successfully"
          schema:
            $ref: "#/definitions/access_token"
        401:
          description: "Wrong password"
          schema:
            type: "string"
        404:
          description: "User not exists"
          schema:
            type: "string"
      parameters:
      - in: body
        name: user
        description: The user to create.
        schema:
          type: object
          required:
            - userName
          properties:
            userName:
              type: string
            firstName:
              type: string
            lastName:
              type: string
    options:
      description: "Cors associated request to login"
      operationId: "login cors"
      x-google-backend:
        address: https://project-id.oa.r.appspot.com/api/v1/login
      responses:
        200:
          description: "Allow"
        401:
          description: "Cors not allowed"