fix(apigateway): fix strange vtl template for cors preflight request

[cm-iwata]

CDK will create this VTL template for OPTIONS method.

#set($origin = $input.params("Origin"))
#if($origin == "") #set($origin = $input.params("origin")) #end
#if($origin.matches("https://www.test-cors.org"))
  #set($context.responseOverride.header.Access-Control-Allow-Origin = $origin)
#end

This VTL template use $input.params for get origin information.

But it's references request parameter from these values

• path
• query string
• header

$input Variables

So, this template cause strange behavier like this.

$ curl -XOPTIONS https://xxx.execute-api.ap-northeast-1.amazonaws.com/prod/twitch?origin=https://www.test-cors.org -i

HTTP/2 204
date: Wed, 23 Feb 2022 06:32:39 GMT
x-amzn-requestid: df42e9de-80a4-4db5-985d-5ed8adc40b99
access-control-allow-origin: https://www.test-cors.org

RFC6454 says

the Origin header field indicates
the origin(s) that "caused" the user agent to issue the request

its not mention path and querystrings.

So VTL template should use only request header for check origin information.

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[gitpod-io]

[mergify]

Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[aws-cdk-automation]

AWS CodeBuild CI Report

• CodeBuild project: AutoBuildProject89A8053A-LhjRyN9kxr8o
• Commit ID: 7752f93
• Result: SUCCEEDED
• Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

[mergify]

Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).