Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Research (and implement if possible) enabling CORS on the HTTP gateways #1200

Closed
amarthadan opened this issue Jun 13, 2022 · 9 comments · Fixed by #1357
Closed

Research (and implement if possible) enabling CORS on the HTTP gateways #1200

amarthadan opened this issue Jun 13, 2022 · 9 comments · Fixed by #1357
Assignees
@vponline
Labels
needs documentation
Milestone
0.8.0

Comments

@amarthadan
Copy link
Contributor

amarthadan commented Jun 13, 2022
edited
Loading

Slack discussion
Should be configurable.
@amarthadan amarthadan added this to the 0.8.0 milestone Jun 13, 2022
This was referenced Jul 7, 2022
Closed
Closed
@vponline
Copy link
Contributor

Moving to blocked until I get some feedback since this is not directly doable for GCP, but could be achieved with the following workarounds:

  1. Enabling a load balancer that will allow adding custom headers (https://cloud.google.com/load-balancing/docs/https/custom-headers)
  2. Handling the pre-flight checks with an if-check inline (e.g. if (req.method === 'OPTIONS')... https://cloud.google.com/functions/docs/samples/functions-http-cors#functions_http_cors-nodejs)
  3. Adding options methods to all paths for CORS requests: https://stackoverflow.com/a/65738206
  4. Enable CORS for the Google Endpoints service (it turns out that API Gateway uses this behind the scenes: https://stackoverflow.com/a/67678657). We'd need to define either OpenAPI or gRPC: https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/endpoints_service

@vponline vponline mentioned this issue Aug 2, 2022
Merged
@vponline
Copy link
Contributor

vponline commented Aug 2, 2022

It was decided (slack) to implement options 2. + 3. for both AWS and GCP to keep the handling similar for both.

@vponline
Copy link
Contributor

vponline commented Aug 4, 2022

@kolenic-martin To test this you can go ahead and do a deployment with the http and http-signed gateways to both AWS and GCP and then make the POST request from a browser (like react) application, e.g. with fetch:

const res = await fetch(
        '<GATEWAY_URL>/<ENDPOINT_ID>',
        {
            method: 'POST',
            headers: {
                'Content-Type': 'application/json',
                'x-api-key': '<API_KEY>',
            },
            body: JSON.stringify({ parameters: { coinIds: 'api3', coinVs_currencies: 'usd' } }),
        },
    );

@martinkolenic
Copy link
Contributor

Hi @vponline, my testing strategy was basically doing what you suggested but used Postman to perform that request. It was a total of four tests:

  1. GCP + http
  2. GCP + signed
  3. AWS + http
  4. AWS + signed

I did not run into any problems and all of the requests were successful.

@vponline
Copy link
Contributor

vponline commented Aug 9, 2022
edited
Loading

@kolenic-martin Ok, just to confirm were you able to make a CORS request with Postman? I think we'd also need to test that you were able to block a CORS request with an empty corsOrigins field as well.

@martinkolenic
Copy link
Contributor

martinkolenic commented Aug 9, 2022 via email

@vponline
Copy link
Contributor

vponline commented Aug 9, 2022

Thanks @kolenic-martin! Let me know if you need help, I think using a template React app would be the fastest for you to test, though 😄

As an additional request, could you also confirm that the API Key authentication is still working (by testing that you are unable to make a POST request with an incorrect API Key value as there were some changes to the configuration of it as well.

@Siegrift
Copy link
Contributor

Siegrift commented Aug 9, 2022

You need to make the request from browser, not curl or postman. You don't need a react application to test this tough. All you need is a single html and JS file

<!DOCTYPE html>
<html lang="en">
  <head>
    <meta charset="UTF-8" />
    <meta http-equiv="X-UA-Compatible" content="IE=edge" />
    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
    <title>Document</title>
  </head>
  <body>
    hello
  </body>
  <script src="./main.js"></script>
</html>

and

var myHeaders = new Headers()
myHeaders.append('x-api-key', '329b1851-eda2-41d0-9f5f-6db0bcc257c2')
myHeaders.append('Content-Type', 'application/json')

var raw = JSON.stringify({
  encodedParameters:
    '0x3173000000000000000000000000000000000000000000000000000000000000636f696e49640000000000000000000000000000000000000000000000000000626974636f696e00000000000000000000000000000000000000000000000000',
  x: 10,
})

var requestOptions = {
  method: 'POST',
  headers: myHeaders,
  body: raw,
  redirect: 'follow',
}

fetch(
  'http://localhost:3000/http-signed-data/0xfb87102cdabadf905321521ba0b3cbf74ad09c5d400ac2eccdbef8d6143e78c4',
  requestOptions,
)
  .then((response) => response.text())
  .then((result) => console.log(result))
  .catch((error) => console.log(error))

You can get the JS implementation from postman (so just copy pasting is enough)

@martinkolenic
Copy link
Contributor

Hi everyone, I just wanted to confirm that this works as intended. It fails if the API key of the deployment or endpoint IDs do not match, but that is expected behaviour.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@vponline vponline

Labels
needs documentation
Projects
None yet
Milestone
0.8.0
Development

Successfully merging a pull request may close this issue.

Add corsOrigins option api3dao/airnode
4 participants
@martinkolenic @amarthadan @Siegrift @vponline