When Browser sends OPTIONS request cors=True has no effect

[steliospaps]

This applies to when the lambda is handling the OPTIONS method, and running the lambda with sam local. (I have not tested elsewhere)

OPTIONS request:
`
curl -i 'http://localhost:3000/calendar_location/distances?date=2019-10-28' -X OPTIONS

HTTP/1.0 200 OK

Content-Length: 0

Server: Werkzeug/0.15.6 Python/3.7.4

Date: Sat, 09 Nov 2019 23:34:46 GMT
`

GET request:
`curl -i 'http://localhost:3000/calendar_location/distances?date=2019-10-28'

HTTP/1.0 200 OK

Content-Type: application/json

Access-Control-Allow-Origin: *

Access-Control-Allow-Methods: GET,OPTIONS

Access-Control-Allow-Credentials: true

Content-Length: 870

Server: Werkzeug/0.15.6 Python/3.7.4

Date: Sat, 09 Nov 2019 23:35:04 GMT

....
`

[vincentsarago]

thanks for the issue @steliospaps
I'm not a backend/frontend developer so I never really looked at OPTIONS requests. Looking at https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods/OPTIONS it seems that OPTIONS requests should return a specific response to tell the frontend/users what methods are available.

Question then, should we have OPTIONS enabled for each route ?

[vincentsarago]

Oh seems that flask add it automatically so I guess we should do the same here
ref:

• https://flask.palletsprojects.com/en/1.1.x/quickstart/#http-methods
• http://zacstewart.com/2012/04/14/http-options-method.html

[steliospaps]

Hi Vincent,
thanks for your project, and thanks for looking into this.

I am very new to api-gateway and lambda myself.

My understanding is that for non-'simple requests' the browser will do an OPTIONS call to see if the server will accept requests from the page that loaded the javascript.
https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS explains it better than I can.

In my understanding with api gateway you setup a canned response of 200 with the access-control-allow-origin header you want. However I am not able to do that with sam local, so for local development my post requests with json payload fail.

[vincentsarago]

@steliospaps Thanks for the docs I'll have a look.

In my understanding with api gateway you setup a canned response of 200 with the access-control-allow-origin header you want. However I am not able to do that with sam local, so for local development my post requests with json payload fail.

For api-gateway + lambda my understanding is that when using {proxy+} (which is what this library is designed for) api-gateway will act as a proxy and not alter/update input and output messages.