@go-to-k/cdkd 0.162.1 → 0.162.2

package/dist/cli.js

@@ -51328,6 +51328,56 @@ function matchPreflight(req, config) {
 	};
 }
 /**
+* Apply CORS headers to an **actual** (non-preflight) response. CORS
+* spec requires that 2xx / 4xx / 5xx responses all carry
+* `Access-Control-Allow-Origin` (only preflight responses also need
+* `Allow-Methods` / `Allow-Headers` / `Max-Age`) — without it the
+* browser blocks the response body from JS regardless of status code.
+*
+* Looks up the route's `apiLogicalId` in `corsConfigByApiId`. When a
+* matching config + the request Origin satisfies `AllowOrigins`, sets:
+*
+*   - `Access-Control-Allow-Origin: <origin or *>`  (always)
+*   - `Vary: Origin`                                (when origin echoed)
+*   - `Access-Control-Allow-Credentials: true`      (when configured)
+*   - `Access-Control-Expose-Headers: <list>`       (when configured)
+*
+* `Allow-Methods` / `Allow-Headers` / `Max-Age` are preflight-only and
+* deliberately NOT set on actual responses.
+*
+* Caller must invoke this BEFORE writing the response body (otherwise
+* `res.headersSent` flips and `setHeader` becomes a no-op). Idempotent:
+* a second call with the same args overwrites the same headers.
+*
+* No-op when:
+*   - `route.apiLogicalId` is undefined (no surface-config-bearing
+*     resource — e.g. routes discovered before issue #644's apiLogicalId
+*     plumbing existed; harmless on routes without CORS to apply)
+*   - The route's API has no entry in `corsConfigByApiId`
+*   - The request has no `Origin` header (non-CORS request — same
+*     posture as the matchPreflight gate)
+*   - The Origin is not in the AllowOrigins list (browser will block
+*     anyway; we don't smuggle through unauthorized origins by accident)
+*/
+function applyCorsResponseHeaders(res, apiLogicalId, corsConfigByApiId, requestOrigin) {
+	if (!apiLogicalId) return;
+	const cors = corsConfigByApiId.get(apiLogicalId);
+	if (!cors) return;
+	if (!requestOrigin) return;
+	const originMatch = matchOrigin(requestOrigin, cors.AllowOrigins);
+	if (!originMatch) return;
+	const allowOrigin = originMatch === "*" && cors.AllowCredentials !== true ? "*" : requestOrigin;
+	res.setHeader("Access-Control-Allow-Origin", allowOrigin);
+	if (allowOrigin !== "*") {
+		const existing = res.getHeader("Vary");
+		if (typeof existing === "string" && existing.length > 0) {
+			if (!existing.split(",").map((t) => t.trim()).some((t) => t.toLowerCase() === "origin")) res.setHeader("Vary", `${existing}, Origin`);
+		} else res.setHeader("Vary", "Origin");
+	}
+	if (cors.AllowCredentials === true) res.setHeader("Access-Control-Allow-Credentials", "true");
+	if (cors.ExposeHeaders.length > 0) res.setHeader("Access-Control-Expose-Headers", cors.ExposeHeaders.join(","));
+}
+/**
 * Whether the request's Origin matches the AllowOrigins list. Returns
 * `'*'` when a wildcard matched, the literal entry on a literal match,
 * `null` otherwise. The literal case is used by the caller to decide
@@ -53237,11 +53287,16 @@ async function handleRequest(req, res, state, opts) {
 		writeError(res, 404, "{\"message\":\"Not Found\"}");
 		return;
 	}
+	const requestOrigin = pickFirstHeaderValue(collectHeaders(req), "origin") ?? void 0;
+	const applyCors = () => {
+		applyCorsResponseHeaders(res, match.route.apiLogicalId, state.corsConfigByApiId, requestOrigin);
+	};
 	if (match.route.mockCors) {
 		writeMockCorsPreflight(res, match.route.mockCors);
 		return;
 	}
 	if (match.route.unsupported) {
+		applyCors();
 		writeNotImplemented(res, match.route.unsupported.reason);
 		return;
 	}
@@ -53268,10 +53323,12 @@ async function handleRequest(req, res, state, opts) {
 			outcome = await runAuthorizerPass(authorizer, snapshot, matchCtx, state, opts, baseEvent["requestContext"]);
 		} catch (err) {
 			logger.error(`Authorizer ${authorizer.logicalId} threw for ${match.route.declaredAt}: ${err instanceof Error ? err.message : String(err)}`);
+			applyCors();
 			writeAuthRejection(res, match.route.apiVersion, "policy-deny", authorizer.kind);
 			return;
 		}
 		if (!outcome.result.allow) {
+			applyCors();
 			writeAuthRejection(res, match.route.apiVersion, outcome.denyKind ?? "policy-deny", authorizer.kind);
 			return;
 		}
@@ -53280,16 +53337,21 @@ async function handleRequest(req, res, state, opts) {
 		if (overlay) baseEvent = applyAuthorizerOverlay(baseEvent, overlay);
 	}
 	if (match.route.serviceIntegration) {
+		applyCors();
 		await handleServiceIntegrationRequest(req, res, match, bodyBuf, opts, authorizer, authResult);
 		return;
 	}
 	if (match.route.restV1Integration) {
 		try {
-			writeIntegrationOutcome(res, await dispatchRestV1Integration(match.route.restV1Integration, snapshot, matchCtx, state, opts));
+			const outcome = await dispatchRestV1Integration(match.route.restV1Integration, snapshot, matchCtx, state, opts);
+			applyCors();
+			writeIntegrationOutcome(res, outcome);
 		} catch (err) {
 			logger.error(`REST v1 ${match.route.restV1Integration.kind} dispatch failed for ${match.route.declaredAt}: ${err instanceof Error ? err.message : String(err)}`);
-			if (!res.headersSent) writeError(res, 502);
-			else res.end();
+			if (!res.headersSent) {
+				applyCors();
+				writeError(res, 502);
+			} else res.end();
 		}
 		return;
 	}
@@ -53298,6 +53360,7 @@ async function handleRequest(req, res, state, opts) {
 		handle = await state.pool.acquire(match.route.lambdaLogicalId);
 	} catch (err) {
 		logger.error(`Failed to acquire container for ${match.route.lambdaLogicalId}: ${err instanceof Error ? err.message : String(err)}`);
+		applyCors();
 		writeError(res, 502);
 		return;
 	}
@@ -53306,6 +53369,7 @@ async function handleRequest(req, res, state, opts) {
 		try {
 			streamResult = await invokeRieStreaming(handle.containerHost, handle.hostPort, baseEvent, opts.rieTimeoutMs);
 			try {
+				applyCors();
 				writeStreamingResponse(res, streamResult, () => state.pool.release(handle));
 			} catch (writeErr) {
 				streamResult.body.on("error", () => {});
@@ -53315,8 +53379,10 @@ async function handleRequest(req, res, state, opts) {
 			return;
 		} catch (err) {
 			logger.error(`RIE streaming invoke failed for ${match.route.lambdaLogicalId}: ${err instanceof Error ? err.message : String(err)}`);
-			if (!res.headersSent) writeError(res, 502);
-			else res.end();
+			if (!res.headersSent) {
+				applyCors();
+				writeError(res, 502);
+			} else res.end();
 			state.pool.release(handle);
 			return;
 		}
@@ -53326,11 +53392,14 @@ async function handleRequest(req, res, state, opts) {
 		res.statusCode = translated.statusCode;
 		for (const [name, value] of Object.entries(translated.headers)) res.setHeader(name, value);
 		if (translated.cookies.length > 0) res.setHeader("set-cookie", translated.cookies);
+		applyCors();
 		res.end(translated.body);
 	} catch (err) {
 		logger.error(`RIE invoke failed for ${match.route.lambdaLogicalId}: ${err instanceof Error ? err.message : String(err)}`);
-		if (!res.headersSent) writeError(res, 502);
-		else res.end();
+		if (!res.headersSent) {
+			applyCors();
+			writeError(res, 502);
+		} else res.end();
 	} finally {
 		state.pool.release(handle);
 	}
@@ -60201,7 +60270,7 @@ function reorderArgs(argv) {
 */
 async function main() {
 	const program = new Command();
-	program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.162.1");
+	program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.162.2");
 	program.addCommand(createBootstrapCommand());
 	program.addCommand(createSynthCommand());
 	program.addCommand(createListCommand());