fix(apigateway): CORS OPTIONS method should not require auth

[corymhall]

When you create a RestApi and you provide defaultCorsPreflightOptions we automatically create a CORS OPTIONS method for each method. If you also provide defaultMethodOptions then those default options get passed through to the CORS OPTION method as well. In the case of authentication options this should not be the case.

This PR explicitly sets the authentication related options to NONE values which overrides whatever is provided in defaultMethodOptions.

I've updated an integration tests to assert that an OPTIONS call is successful (I also tested before the fix to assert that it failed).

fixes #8615

---

All Submissions:

• Have you followed the guidelines in our Contributing guide?

Adding new Unconventional Dependencies:

• This PR adds new unconventional dependencies following the process described here

New Features

• Have you added the new feature to an integration test?
  • Did you use yarn integ to deploy the infrastructure and generate the snapshot (i.e. yarn integ without --dry-run)?

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[gitpod-io]

[Naumel]

added now

[Naumel]

I did not mind the link, since code is better represented as such, instead of READMEs, but I appreciate the lack of clicking around.

[Naumel]

Pardon my lack of coffee, but what's the difference?

Answer: authorizerId being "" would still lead to an undefined.

Follow-up: is that needed?

[Naumel]

As per comment above, this would still lead to an undefined, why specify it?

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[aws-cdk-automation]

AWS CodeBuild CI Report

• CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
• Commit ID: 5541378
• Result: SUCCEEDED
• Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[plumdog]

@Naumel @corymhall I've found this because the diff for one of my projects showed the auth options being unset for the OPTIONS methods, which (wrongly?) concerned me.

Is it really the case that OPTIONS should always be unauthenticated? Is this a how-to-do-REST-properly thing?

I'm slightly surprised it's not an optional setting to enable this behaviour from some props, as I imagine this change could - theoretically, at least - expose something sensitive that was previously hidden.

[markcarroll]

@Naumel @corymhall this PR did not fix the issue in #8615 due to a bug in

aws-cdk/packages/@aws-cdk/aws-apigateway/lib/method.ts

Line 203 in 31d6e65

apiKeyRequired: options.apiKeyRequired || defaultMethodOptions.apiKeyRequired,

If the default is to have API key required, the fix added in #22402 will get overridden by the default setting - options.apiKeyRequired is false which leads the other side of the boolean operator to get evaluated which then returns whatever defaultMethodOptions.apiKeyRequired is set to.

[taidv]

Invalid Method authorization type specified. Authorization Scopes are only valid for COGNITO_USER_POOLS authorization type (Service: AmazonApiGateway; Status Code: 400; Error Code: BadRequestException;

For those who encounter the above error after upgrading CDK to version 2.46.0 or higher, it appears that the issue may be related to the configuration of 'authorizer' and 'authorizationScopes' in 'defaultMethodOptions.'

This error can occur because this PR sets the authorizer to NONE, but 'defaultMethodOptions' still includes 'authorizationScopes,' leading to the aforementioned error.

As a workaround, you can resolve this issue by removing 'authorizationScopes' from 'defaultMethodOptions' and setting it when using 'addMethod.' This ensures that the 'authorizationScopes' is applied correctly.

For more information on this topic, you can refer to the official AWS documentation on API Gateway methods: API Method Documentation.

[lazylace37]

Unfortunately the workaround provided by @taidv cannot be applied to ProxyResources, because they rely on defaultMethodOptions.

To recap: if you are getting this error:
Invalid Method authorization type specified. Authorization Scopes are only valid for COGNITO_USER_POOLS authorization type (Service: AmazonApiGateway; Status Code: 400; Error Code: BadRequestException;
you are probably using defaultMethodOptions like this in your API or your ProxyResource:

const apis = new apigw.RestApi(this, "rest-api", {
  ...
  defaultMethodOptions: {
    authorizer: userPoolAuthorizer,
    authorizationType: apigw.AuthorizationType.COGNITO,
    authorizationScopes: ["api/myscope"],
  },
});

This PR resets authorizationType for OPTIONs, but not authorizationScopes. This is illegal, thus the error.
A dirty fix is this; just put it after your api.root.addProxy:

api.methods.forEach((method) => {
  if (method.httpMethod === "OPTIONS") {
    const methodCfn = method.node.defaultChild as apigw.CfnMethod;
    methodCfn.authorizationScopes = [];
  }
});