I have an ECS hosted flask service that I expose via a network load balancer, vpc link and API Gateway VPC Proxy integration.
I’m hitting this api with a react website hosted on a different domain, so I need CORS headers.
With successful requests I add CORS headers to the response in the flask service. However I have a custom authorisation lambda on my endpoint, and when an unauthorised request is sent, the lambda returns an explicit deny policy and the request doesn’t get through to the flask service, getting stopped at the api gateway method, with a 401 response.
My react app can’t handle that response as there are no CORS headers and axios will throw for CORS errors before I can redirect to a login page.
My first thought was to add the headers in the integration response - but given it’s a VPC Proxy integration, the integration response functionality is disabled in Api Gateway.
I’ve also tried adding default gateway responses for 4XX codes. The issue I have here is I can’t set access-allow-control-origin header to “*” as I’m passing credentials in the request so request credentials mode is include. API gateway won’t allow me to have “*.mydomain.com”. So I have to have “fully-qualified.mydomain.com” - and I need more flexibility than this.
It seems unlikely that this is just how it is if you’re using an ECS backend with an authoriser lambda, so I feel like I must have missed something key.
