API Gateway config missing CORS header for status codes other than 200 [rc1]

[chris-vance]

This is a Bug Report

Description

I have configured a function with an 'http' POST event, CORS enabled. When I return status codes other than 200 (using the '[NNN] Message...' format), the response is missing the Access-Control-Allow-Origin header.

This is causing the browser CORS check to fail and throw a network error, rather than pass the actual status code and response through to the client.

According to the CORS spec, all responses should include the Access-Control-Allow-Origin header, not just a 200 response.

To Reproduce

Configure a function as follows:

corsTest:
  handler: handler.corsTest
  events:
    - http:
        path: cors-test
        method: post
        cors: true

In the handler:

module.exports.corsTest = ( event, context, cb ) => {
  cb( '[401] Please log in', null );
}

In the client:

fetch( 'https://[endpoint]/cors-test', { method: 'POST' } )
  .then( response => console.log(response) );

The outcome will be a browser-specific CORS failure, rather than a logged response object containing the status code and message.

[5inline]

I'm experiencing this issue as well.

[flomotlik]

We're working on a new implementation that will make all of this a lot simpler going forward. More to come soon.

[flomotlik]

This is a lot easier now with the recently released proxy and can be set up with custom status codes in #2014 as well, so I'm closing

[hassankhan]

I'm not sure this works correctly, I'm struggling to get this set up. Shall I open a new issue?

[wallslide]

I'm experiencing this problem on version 1.11.1 on AWS lambda. CORS works fine when I pass in a response like this:

const response = {
                statusCode: 200,
                headers: {
                  "Access-Control-Allow-Origin": "*", // Required for CORS support to work
                  "Access-Control-Allow-Credentials": true // Required for cookies, authorization headers with HTTPS
                },
              };

              callback(null, response);

but when I try to do this:

callback(new Error('[400] unable to find event participation'));

The browser-client gets a 502 status code response, and the following error:

Fetch API cannot load https://*****/manager/cancelParticipation. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:3000' is therefore not allowed access. The response had HTTP status code 502. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.

In the cloudwatch logs however the proper error is reported like so:

"errorMessage": "[400] unable to find event participation",
    "errorType": "Error",

which proves that the error is being properly called/thrown in my Lambda function.

[pmuens]

@wallslide thanks for reporting. Have you tried to use custom status codes in combination with the LAMBDA integration type: https://serverless.com/framework/docs/providers/aws/events/apigateway#lambda-integration

Looks like you're using the LAMBDA-PROXY integration type which is a little bit more limited.

[sajal50]

When integration type is LAMBDA and the status code is other than 200, CORS doesn't seem to work.

[pmuens]

@sajal50 thanks for the response 👍

Could you open up a new issue for that so that we can track it? Thanks!