first post in over 6years.
So I have setup a AWS ApiGateway rest API. Its a simple API with one endpoint for a POST request. Works without issues.
However when I add my AWS WAF rule for Captcha to the protect the API Gateway I am getting cors errors. If I change the rule from Captcha to just allow no issues.
When I make the same API call from restninja.io with the Captcha token present in the header no issue. Everything works.
To give more background, I am trying the new Application Integration for WAF captcha which lets you render the captcha challenge on your own page instead of it being the page.
// this is how I initialize the Captcha challenge
AwsWafCaptcha.renderCaptcha(container, {
apiKey: "ApiKeyHere",
onSuccess: captchaExampleSuccessFunction,
onError: captchaExampleErrorFunction,
dynamicWidth: true,
skipTitle: true
});
// how I retrieve the token before my POST request
const token = await AwsWafIntegration.getToken();
// this is my API call using the AWS Waf Fetch wrapper
// the call works without Captcha rule being turned on and all the options being commented out, included it here just to show what I have been trying from the frontend side
const response = await (window as any).AwsWafIntegration.fetch(url, {
method: "POST",
// mode: "cors",
// cache: "no-cache",
// credentials: "include",
// headers: {
// "Content-Type": "application/json",
// // "X-Aws-Waf-Token": token,
// // "Cookie": `aws-waf-token=${token}`
// },
body: JSON.stringify(data),
});
I feel I am missing something super minor, as I mentioned earlier I am able to get it to work with restninja.io but have not been able to figure out what the difference is.
Figured it out, it was due to my WAF Captcha rule, my rule was too generic and included the OPTIONS api, I adjusted the rule to only target my POST api, once I did that the OPTION call succeeded and then when I provided a valid Captcha Token with my POST request it worked.