从 API 网关自定义授权方返回的 401 缺少“Access-Control-Allow-Origin"标头 [英] 401 return from an API Gateway Custom Authorizer is missing 'Access-Control-Allow-Origin' header

问题描述

为了防止未登录的用户通过 AWS API Gateway 调用我的 lambda 函数，我使用了 Custom Authorizer lambda 解决方案.

In order to prevent users who have not logged in to call my lambda function through the AWS API Gateway, I'm using the Custom Authorizer lambda solution.

如果请求被授权 (200) 并且我从被调用的 lambda 那里得到响应，一切正常，我得到 Access-Control-Allow-Origin 标头.

If the request is authorized (200) and I get a response from the called lambda everything works fine and I get the Access-Control-Allow-Origin header.

但是如果请求未经授权，我会得到一个没有 Access-Control-Allow-Origin 标头的 401，因此阻止我读取响应的 401 状态并将用户重定向到登录页面.

But if the request is not authorized, I get a 401 that has no Access-Control-Allow-Origin header, therefore preventing me from reading the 401 status of the response and redirecting the user to the log-in page.

我相信这是因为自定义自动化机制不知道请求需要使用 CORS.有谁知道这实际上是问题所在?您知道任何可能的解决方案吗?

I believe this is because the Custom Autorization mechanism is unaware that the request needs to use CORS. Does anyone know that this is actually the issue? Are you aware of any possible solution?

推荐答案

我很高兴地宣布新的网关响应功能，它允许您为不调用集成的请求自定义错误响应.这使您可以确保包含 CORS 标头，即使在身份验证请求失败时也是如此.

I'm happy to announce the new Gateway Responses feature which allows you to customize the error responses for requests that don't call your integration. This allows you to ensure that CORS headers are included, even on failed auth requests.

阅读我们的文档，其中包括一个 CORS 示例.

Read more in our documentation, which includes a CORS example.

这篇关于从 API 网关自定义授权方返回的 401 缺少“Access-Control-Allow-Origin"标头的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！