Skip to content

apigateway: Can't set default authorization scopes when adding a proxy to a resource #29781

New issue
New issue
Closed
#30035
Closed
apigateway: Can't set default authorization scopes when adding a proxy to a resource#29781
#30035
Assignees
GavinZZ
Labels
@aws-cdk/aws-apigatewayRelated to Amazon API Gateway@aws-cdk/aws-lambdaRelated to AWS LambdabugThis issue is a bug.effort/mediumMedium work item – several days of effortp1
@David-Jacobsen

Description

@David-Jacobsen
David-Jacobsen
opened on Apr 10, 2024

Describe the bug

When trying to add a Proxy to a Resource, you can't set the default authorization scopes because it attempts to set the authorization scopes to the OPTIONS method despite the OPTIONS method intentionally not having any authorizer.

    const api = new apigw.RestApi(this, "Actions-ApiGateway", {
        defaultCorsPreflightOptions: {
          allowOrigins: apigw.Cors.ALL_ORIGINS,
          maxAge: Duration.days(10)
        },        
      });
    const root = api.root;
    const sendResource = root.addResource(`InitiateAction`)
    const sendLambdaIntegration = new apigw.LambdaIntegration(this.initiateAction.lambda);
    const sendProxy = sendResource.addProxy({
      defaultIntegration: sendLambdaIntegration,
      anyMethod: true,
      defaultMethodOptions: {
        authorizer: this.authorizer,
        authorizationType: apigw.AuthorizationType.COGNITO,
        // authorizationScopes: [`scopes`],
    },
      defaultCorsPreflightOptions: {
        allowOrigins: apigw.Cors.ALL_ORIGINS,
        allowMethods: apigw.Cors.ALL_METHODS
      }
    })

This works, and creates an InitiateAction resource with a proxy using the Cognito Authorizer as the authorizer. But if I uncomment the authorizationScopes line then it fails because it tries to assign the authorizationScopes to the OPTIONS method.

Expected Behavior

default authorization scopes are only applied to non-OPTIONS methods

Current Behavior

default authorization scopes are applied to all methods, including OPTIONS, which causing the deployment to fail.

Reproduction Steps

   const authorizer = authorizer = new apigw.CognitoUserPoolsAuthorizer(this, "Authorizer", {
        cognitoUserPools: [props.userPool],
      });
    const api = new apigw.RestApi(this, "Actions-ApiGateway", {
        defaultCorsPreflightOptions: {
          allowOrigins: apigw.Cors.ALL_ORIGINS,
          maxAge: Duration.days(10)
        },        
      });
    const root = api.root;
    const sendResource = root.addResource(`InitiateAction`)
    const sendLambdaIntegration = new apigw.LambdaIntegration(this.initiateAction.lambda);
    const sendProxy = sendResource.addProxy({
      defaultIntegration: sendLambdaIntegration,
      anyMethod: true,
      defaultMethodOptions: {
        authorizer: authorizer,
        authorizationType: apigw.AuthorizationType.COGNITO,
        // authorizationScopes: [`scope`],
    },
      defaultCorsPreflightOptions: {
        allowOrigins: apigw.Cors.ALL_ORIGINS,
        allowMethods: apigw.Cors.ALL_METHODS
      }
    })

Possible Solution

The generated cloud formation template shouldn't attempt to apply authorization scopes to the OPTIONS method.

Additional Information/Context

No response

CDK CLI Version

2.134.0 (build 265d769)

Framework Version

No response

Node.js Version

v18.19

OS

Mac OS 13.5.2 (22G91)

Language

TypeScript

Language Version

No response

Other information

No response

Metadata

Metadata

Assignees

Labels

@aws-cdk/aws-apigatewayRelated to Amazon API Gateway@aws-cdk/aws-lambdaRelated to AWS LambdabugThis issue is a bug.effort/mediumMedium work item – several days of effortp1

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions