npm - @go-to-k/cdkd - Versions diffs - 0.162.0 → 0.162.2 - Mend

@go-to-k/cdkd 0.162.0 → 0.162.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/dist/cli.js CHANGED Viewed

@@ -51153,6 +51153,140 @@ function pickStringArray(value) {
 	return out;
 }
 /**
+* Build a `fnUrlLogicalId → CorsConfig` map by tracing CloudFront →
+* Function URL chains in the template (issue #646).
+*
+* Production-correct CDK pattern: Function URL fronted by a CloudFront
+* Distribution where CORS is declared on the CloudFront
+* `ResponseHeadersPolicy` (NOT on the Function URL itself). Without this
+* helper, `cdkd local start-api` sees `Cors: null` on the Function URL
+* and emits no preflight headers — even though the CDK code correctly
+* declares the allowed origins on the CloudFront side.
+*
+* Detection: an `AWS::CloudFront::Distribution` whose `Origins[].DomainName`
+* matches the canonical CDK 2.x shape
+* `Fn::Select[2, Fn::Split['/', Fn::GetAtt[<FnUrlLogicalId>, 'FunctionUrl']]]`
+* is the chain marker. For each such origin, we walk every cache behavior
+* (`DefaultCacheBehavior` + `CacheBehaviors[]`), resolve their
+* `ResponseHeadersPolicyId: { Ref: <RhpLogicalId> }` to the
+* `AWS::CloudFront::ResponseHeadersPolicy` resource, and extract its
+* `Properties.ResponseHeadersPolicyConfig.CorsConfig`.
+*
+* Schema mapping (CloudFront → internal `CorsConfig`):
+*
+*   AccessControlAllowOrigins.Items  → AllowOrigins
+*   AccessControlAllowMethods.Items  → AllowMethods
+*   AccessControlAllowHeaders.Items  → AllowHeaders
+*   AccessControlExposeHeaders.Items → ExposeHeaders
+*   AccessControlMaxAgeSec           → MaxAge
+*   AccessControlAllowCredentials    → AllowCredentials
+*   (OriginOverride is ignored — cdkd has only one config slot)
+*
+* Multiple distributions fronting the same Function URL: last write
+* wins (rare in practice). Per-path CORS via `CacheBehaviors[]` is
+* NOT supported in v1 — the `DefaultCacheBehavior`'s policy applies
+* to all paths.
+*/
+function buildCorsConfigFromCloudFrontChain(template) {
+	const out = /* @__PURE__ */ new Map();
+	const resources = template.Resources ?? {};
+	for (const [, resource] of Object.entries(resources)) {
+		if (resource.Type !== "AWS::CloudFront::Distribution") continue;
+		const distConfig = (resource.Properties ?? {})["DistributionConfig"];
+		if (!distConfig || typeof distConfig !== "object") continue;
+		const dc = distConfig;
+		const origins = Array.isArray(dc["Origins"]) ? dc["Origins"] : [];
+		for (const origin of origins) {
+			if (!origin || typeof origin !== "object") continue;
+			const fnUrlLogicalId = pickFnUrlLogicalIdFromOriginDomainName(origin["DomainName"]);
+			if (!fnUrlLogicalId) continue;
+			const cacheBehaviors = [dc["DefaultCacheBehavior"], ...Array.isArray(dc["CacheBehaviors"]) ? dc["CacheBehaviors"] : []];
+			for (const behavior of cacheBehaviors) {
+				if (!behavior || typeof behavior !== "object") continue;
+				const rhpId = pickRhpRefLogicalId(behavior["ResponseHeadersPolicyId"]);
+				if (!rhpId) continue;
+				const rhpResource = resources[rhpId];
+				if (!rhpResource || rhpResource.Type !== "AWS::CloudFront::ResponseHeadersPolicy") continue;
+				const rhpConfig = (rhpResource.Properties ?? {})["ResponseHeadersPolicyConfig"];
+				if (!rhpConfig || typeof rhpConfig !== "object") continue;
+				const corsConfig = rhpConfig["CorsConfig"];
+				if (!corsConfig || typeof corsConfig !== "object" || Array.isArray(corsConfig)) continue;
+				const parsed = parseCloudFrontCorsConfig(corsConfig);
+				if (parsed) out.set(fnUrlLogicalId, parsed);
+			}
+		}
+	}
+	return out;
+}
+/**
+* Detect the canonical CDK 2.x `DomainName` shape that points a
+* CloudFront Origin at a Function URL:
+*   {Fn::Select: [2, {Fn::Split: ['/', {Fn::GetAtt: [<id>, 'FunctionUrl']}]}]}
+* Returns the Function URL's logical ID, or undefined if the shape
+* doesn't match.
+*/
+function pickFnUrlLogicalIdFromOriginDomainName(value) {
+	if (!value || typeof value !== "object") return void 0;
+	const sel = value["Fn::Select"];
+	if (!Array.isArray(sel) || sel.length !== 2 || sel[0] !== 2) return void 0;
+	const split = sel[1];
+	if (!split || typeof split !== "object") return void 0;
+	const splitArgs = split["Fn::Split"];
+	if (!Array.isArray(splitArgs) || splitArgs.length !== 2 || splitArgs[0] !== "/") return void 0;
+	const getAtt = splitArgs[1];
+	if (!getAtt || typeof getAtt !== "object") return void 0;
+	const ga = getAtt["Fn::GetAtt"];
+	if (!Array.isArray(ga) || ga.length !== 2 || typeof ga[0] !== "string" || ga[1] !== "FunctionUrl") return;
+	return ga[0];
+}
+/**
+* Unwrap a `ResponseHeadersPolicyId` value to its referenced logical
+* ID. CDK 2.x synthesizes this as `{ Ref: <id> }`. Returns undefined
+* for the AWS-managed-policy ID form (literal UUID string) since
+* cdkd can't fetch those — and for any non-Ref shape.
+*/
+function pickRhpRefLogicalId(value) {
+	if (!value || typeof value !== "object") return void 0;
+	const ref = value["Ref"];
+	if (typeof ref !== "string" || ref.length === 0) return void 0;
+	return ref;
+}
+/**
+* Parse a CloudFront `ResponseHeadersPolicyConfig.CorsConfig` block
+* into the internal `CorsConfig` shape. Schema differs from Function
+* URL / HTTP API v2 (`AccessControl*` prefix + nested `Items` wrapper);
+* see `buildCorsConfigFromCloudFrontChain` JSDoc for the field mapping.
+*
+* Returns undefined when every value-bearing field is missing.
+*/
+function parseCloudFrontCorsConfig(raw) {
+	const allowOrigins = pickItemsStringArray(raw["AccessControlAllowOrigins"]);
+	const allowMethods = pickItemsStringArray(raw["AccessControlAllowMethods"]);
+	const allowHeaders = pickItemsStringArray(raw["AccessControlAllowHeaders"]);
+	const exposeHeaders = pickItemsStringArray(raw["AccessControlExposeHeaders"]);
+	const maxAgeRaw = raw["AccessControlMaxAgeSec"];
+	const allowCreds = raw["AccessControlAllowCredentials"];
+	if (allowOrigins.length === 0 && allowMethods.length === 0 && allowHeaders.length === 0 && exposeHeaders.length === 0 && maxAgeRaw === void 0 && allowCreds === void 0) return;
+	const config = {
+		AllowOrigins: allowOrigins,
+		AllowMethods: allowMethods,
+		AllowHeaders: allowHeaders,
+		ExposeHeaders: exposeHeaders
+	};
+	if (typeof maxAgeRaw === "number" && Number.isFinite(maxAgeRaw)) config.MaxAge = Math.trunc(maxAgeRaw);
+	if (typeof allowCreds === "boolean") config.AllowCredentials = allowCreds;
+	return config;
+}
+/**
+* CloudFront `AccessControl*Origins/Methods/Headers` use a nested
+* `Items: string[]` wrapper. Unwrap to a plain `string[]`.
+*/
+function pickItemsStringArray(value) {
+	if (!value || typeof value !== "object") return [];
+	const items = value["Items"];
+	return pickStringArray(items);
+}
+/**
 * Try to match an OPTIONS preflight request against the given CORS
 * config. Returns the canonical response when every check passes;
 * `null` when the request didn't satisfy AllowOrigins / AllowMethods /
@@ -51194,6 +51328,56 @@ function matchPreflight(req, config) {
 	};
 }
 /**
+* Apply CORS headers to an **actual** (non-preflight) response. CORS
+* spec requires that 2xx / 4xx / 5xx responses all carry
+* `Access-Control-Allow-Origin` (only preflight responses also need
+* `Allow-Methods` / `Allow-Headers` / `Max-Age`) — without it the
+* browser blocks the response body from JS regardless of status code.
+*
+* Looks up the route's `apiLogicalId` in `corsConfigByApiId`. When a
+* matching config + the request Origin satisfies `AllowOrigins`, sets:
+*
+*   - `Access-Control-Allow-Origin: <origin or *>`  (always)
+*   - `Vary: Origin`                                (when origin echoed)
+*   - `Access-Control-Allow-Credentials: true`      (when configured)
+*   - `Access-Control-Expose-Headers: <list>`       (when configured)
+*
+* `Allow-Methods` / `Allow-Headers` / `Max-Age` are preflight-only and
+* deliberately NOT set on actual responses.
+*
+* Caller must invoke this BEFORE writing the response body (otherwise
+* `res.headersSent` flips and `setHeader` becomes a no-op). Idempotent:
+* a second call with the same args overwrites the same headers.
+*
+* No-op when:
+*   - `route.apiLogicalId` is undefined (no surface-config-bearing
+*     resource — e.g. routes discovered before issue #644's apiLogicalId
+*     plumbing existed; harmless on routes without CORS to apply)
+*   - The route's API has no entry in `corsConfigByApiId`
+*   - The request has no `Origin` header (non-CORS request — same
+*     posture as the matchPreflight gate)
+*   - The Origin is not in the AllowOrigins list (browser will block
+*     anyway; we don't smuggle through unauthorized origins by accident)
+*/
+function applyCorsResponseHeaders(res, apiLogicalId, corsConfigByApiId, requestOrigin) {
+	if (!apiLogicalId) return;
+	const cors = corsConfigByApiId.get(apiLogicalId);
+	if (!cors) return;
+	if (!requestOrigin) return;
+	const originMatch = matchOrigin(requestOrigin, cors.AllowOrigins);
+	if (!originMatch) return;
+	const allowOrigin = originMatch === "*" && cors.AllowCredentials !== true ? "*" : requestOrigin;
+	res.setHeader("Access-Control-Allow-Origin", allowOrigin);
+	if (allowOrigin !== "*") {
+		const existing = res.getHeader("Vary");
+		if (typeof existing === "string" && existing.length > 0) {
+			if (!existing.split(",").map((t) => t.trim()).some((t) => t.toLowerCase() === "origin")) res.setHeader("Vary", `${existing}, Origin`);
+		} else res.setHeader("Vary", "Origin");
+	}
+	if (cors.AllowCredentials === true) res.setHeader("Access-Control-Allow-Credentials", "true");
+	if (cors.ExposeHeaders.length > 0) res.setHeader("Access-Control-Expose-Headers", cors.ExposeHeaders.join(","));
+}
+/**
 * Whether the request's Origin matches the AllowOrigins list. Returns
 * `'*'` when a wildcard matched, the literal entry on a literal match,
 * `null` otherwise. The literal case is used by the caller to decide
@@ -53103,11 +53287,16 @@ async function handleRequest(req, res, state, opts) {
 		writeError(res, 404, "{\"message\":\"Not Found\"}");
 		return;
 	}
+	const requestOrigin = pickFirstHeaderValue(collectHeaders(req), "origin") ?? void 0;
+	const applyCors = () => {
+		applyCorsResponseHeaders(res, match.route.apiLogicalId, state.corsConfigByApiId, requestOrigin);
+	};
 	if (match.route.mockCors) {
 		writeMockCorsPreflight(res, match.route.mockCors);
 		return;
 	}
 	if (match.route.unsupported) {
+		applyCors();
 		writeNotImplemented(res, match.route.unsupported.reason);
 		return;
 	}
@@ -53134,10 +53323,12 @@ async function handleRequest(req, res, state, opts) {
 			outcome = await runAuthorizerPass(authorizer, snapshot, matchCtx, state, opts, baseEvent["requestContext"]);
 		} catch (err) {
 			logger.error(`Authorizer ${authorizer.logicalId} threw for ${match.route.declaredAt}: ${err instanceof Error ? err.message : String(err)}`);
+			applyCors();
 			writeAuthRejection(res, match.route.apiVersion, "policy-deny", authorizer.kind);
 			return;
 		}
 		if (!outcome.result.allow) {
+			applyCors();
 			writeAuthRejection(res, match.route.apiVersion, outcome.denyKind ?? "policy-deny", authorizer.kind);
 			return;
 		}
@@ -53146,16 +53337,21 @@ async function handleRequest(req, res, state, opts) {
 		if (overlay) baseEvent = applyAuthorizerOverlay(baseEvent, overlay);
 	}
 	if (match.route.serviceIntegration) {
+		applyCors();
 		await handleServiceIntegrationRequest(req, res, match, bodyBuf, opts, authorizer, authResult);
 		return;
 	}
 	if (match.route.restV1Integration) {
 		try {
-			writeIntegrationOutcome(res, await dispatchRestV1Integration(match.route.restV1Integration, snapshot, matchCtx, state, opts));
+			const outcome = await dispatchRestV1Integration(match.route.restV1Integration, snapshot, matchCtx, state, opts);
+			applyCors();
+			writeIntegrationOutcome(res, outcome);
 		} catch (err) {
 			logger.error(`REST v1 ${match.route.restV1Integration.kind} dispatch failed for ${match.route.declaredAt}: ${err instanceof Error ? err.message : String(err)}`);
-			if (!res.headersSent) writeError(res, 502);
-			else res.end();
+			if (!res.headersSent) {
+				applyCors();
+				writeError(res, 502);
+			} else res.end();
 		}
 		return;
 	}
@@ -53164,6 +53360,7 @@ async function handleRequest(req, res, state, opts) {
 		handle = await state.pool.acquire(match.route.lambdaLogicalId);
 	} catch (err) {
 		logger.error(`Failed to acquire container for ${match.route.lambdaLogicalId}: ${err instanceof Error ? err.message : String(err)}`);
+		applyCors();
 		writeError(res, 502);
 		return;
 	}
@@ -53172,6 +53369,7 @@ async function handleRequest(req, res, state, opts) {
 		try {
 			streamResult = await invokeRieStreaming(handle.containerHost, handle.hostPort, baseEvent, opts.rieTimeoutMs);
 			try {
+				applyCors();
 				writeStreamingResponse(res, streamResult, () => state.pool.release(handle));
 			} catch (writeErr) {
 				streamResult.body.on("error", () => {});
@@ -53181,8 +53379,10 @@ async function handleRequest(req, res, state, opts) {
 			return;
 		} catch (err) {
 			logger.error(`RIE streaming invoke failed for ${match.route.lambdaLogicalId}: ${err instanceof Error ? err.message : String(err)}`);
-			if (!res.headersSent) writeError(res, 502);
-			else res.end();
+			if (!res.headersSent) {
+				applyCors();
+				writeError(res, 502);
+			} else res.end();
 			state.pool.release(handle);
 			return;
 		}
@@ -53192,11 +53392,14 @@ async function handleRequest(req, res, state, opts) {
 		res.statusCode = translated.statusCode;
 		for (const [name, value] of Object.entries(translated.headers)) res.setHeader(name, value);
 		if (translated.cookies.length > 0) res.setHeader("set-cookie", translated.cookies);
+		applyCors();
 		res.end(translated.body);
 	} catch (err) {
 		logger.error(`RIE invoke failed for ${match.route.lambdaLogicalId}: ${err instanceof Error ? err.message : String(err)}`);
-		if (!res.headersSent) writeError(res, 502);
-		else res.end();
+		if (!res.headersSent) {
+			applyCors();
+			writeError(res, 502);
+		} else res.end();
 	} finally {
 		state.pool.release(handle);
 	}
@@ -54528,8 +54731,10 @@ async function localStartApiCommand(target, options) {
 		}
 		const corsConfigByApiId = /* @__PURE__ */ new Map();
 		for (const stack of targetStacks) {
-			const m = buildCorsConfigByApiId(stack.template);
-			for (const [k, v] of m) corsConfigByApiId.set(k, v);
+			const fromCloudFront = buildCorsConfigFromCloudFrontChain(stack.template);
+			for (const [k, v] of fromCloudFront) corsConfigByApiId.set(k, v);
+			const direct = buildCorsConfigByApiId(stack.template);
+			for (const [k, v] of direct) corsConfigByApiId.set(k, v);
 		}
 		const stateByStack = options.fromState || isCfnFlagPresent(options) ? await loadStateForRoutedStacks(targetStacks, routes, routesWithAuth, options) : /* @__PURE__ */ new Map();
 		const lambdaIds = uniqueLambdaIds(routes, routesWithAuth, webSocketApis);
@@ -60065,7 +60270,7 @@ function reorderArgs(argv) {
 */
 async function main() {
 	const program = new Command();
-	program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.162.0");
+	program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.162.2");
 	program.addCommand(createBootstrapCommand());
 	program.addCommand(createSynthCommand());
 	program.addCommand(createListCommand());