Merge branch 'main' into dependabot/npm_and_yarn/main/types/node-24.5.2

svozza · web-flow · commit 0917e8c9edff · 2025-09-20T09:16:56.000+01:00
diff --git a/docs/requirements.in b/docs/requirements.in
@@ -3,4 +3,4 @@ mkdocs-material==9.6.20
 mkdocs-git-revision-date-plugin==0.3.2
 mkdocs-exclude==1.0.2
 mkdocs-typedoc==1.0.4
-mkdocs-llmstxt==0.3.1
+mkdocs-llmstxt==0.3.2
diff --git a/docs/requirements.txt b/docs/requirements.txt
@@ -274,9 +274,9 @@ mkdocs-get-deps==0.2.0 \
 mkdocs-git-revision-date-plugin==0.3.2 \
     --hash=sha256:2e67956cb01823dd2418e2833f3623dee8604cdf223bddd005fe36226a56f6ef
     # via -r requirements.in
-mkdocs-llmstxt==0.3.1 \
-    --hash=sha256:123119d9b984c1d1224ed5af250bfbc49879ad83decdaff59d8b0ebb459ddc54 \
-    --hash=sha256:31f5b6aaae6123c09a2b1c32912c3eb21ccb356b5db7abb867f105e8cc392653
+mkdocs-llmstxt==0.3.2 \
+    --hash=sha256:dd63acb8257fca3244058fd820acd4700c1626dbe48ad3a1a2cc9c599f8e4b7f \
+    --hash=sha256:fb363205d6f1452411dc5069f62012cb6b29e1788f6db9cc17793bdca7eabea8
     # via -r requirements.in
 mkdocs-material==9.6.20 \
     --hash=sha256:b8d8c8b0444c7c06dd984b55ba456ce731f0035c5a1533cc86793618eb1e6c82 \
diff --git a/packages/event-handler/src/rest/Router.ts b/packages/event-handler/src/rest/Router.ts
@@ -226,33 +226,40 @@ class Router {
 
       const route = this.routeRegistry.resolve(method, path);
 
-      if (route === null) {
-        throw new NotFoundError(`Route ${path} for method ${method} not found`);
-      }
-
-      const handler =
-        options?.scope != null
-          ? route.handler.bind(options.scope)
-          : route.handler;
-
       const handlerMiddleware: Middleware = async (params, reqCtx, next) => {
-        const handlerResult = await handler(params, reqCtx);
-        reqCtx.res = handlerResultToWebResponse(
-          handlerResult,
-          reqCtx.res.headers
-        );
+        if (route === null) {
+          const notFoundRes = await this.handleError(
+            new NotFoundError(`Route ${path} for method ${method} not found`),
+            { ...reqCtx, scope: options?.scope }
+          );
+          reqCtx.res = handlerResultToWebResponse(
+            notFoundRes,
+            reqCtx.res.headers
+          );
+        } else {
+          const handler =
+            options?.scope != null
+              ? route.handler.bind(options.scope)
+              : route.handler;
+
+          const handlerResult = await handler(params, reqCtx);
+          reqCtx.res = handlerResultToWebResponse(
+            handlerResult,
+            reqCtx.res.headers
+          );
+        }
 
         await next();
       };
 
       const middleware = composeMiddleware([
         ...this.middleware,
-        ...route.middleware,
+        ...(route?.middleware ?? []),
         handlerMiddleware,
       ]);
 
       const middlewareResult = await middleware(
-        route.params,
+        route?.params ?? {},
         requestContext,
         () => Promise.resolve()
       );
diff --git a/packages/event-handler/src/rest/constants.ts b/packages/event-handler/src/rest/constants.ts
@@ -88,6 +88,23 @@ export const SAFE_CHARS = "-._~()'!*:@,;=+&$";
 
 export const UNSAFE_CHARS = '%<> \\[\\]{}|^';
 
+/**
+ * Default CORS configuration
+ */
+export const DEFAULT_CORS_OPTIONS = {
+  origin: '*',
+  allowMethods: ['DELETE', 'GET', 'HEAD', 'PATCH', 'POST', 'PUT'],
+  allowHeaders: [
+    'Authorization',
+    'Content-Type',
+    'X-Amz-Date',
+    'X-Api-Key',
+    'X-Amz-Security-Token',
+  ],
+  exposeHeaders: [],
+  credentials: false
+};
+
 export const DEFAULT_COMPRESSION_RESPONSE_THRESHOLD = 1024;
 
 export const CACHE_CONTROL_NO_TRANSFORM_REGEX =
diff --git a/packages/event-handler/src/rest/converters.ts b/packages/event-handler/src/rest/converters.ts
@@ -140,7 +140,14 @@ export const handlerResultToWebResponse = (
   resHeaders?: Headers
 ): Response => {
   if (response instanceof Response) {
-    return response;
+    const headers = new Headers(resHeaders);
+    for (const [key, value] of response.headers.entries()) {
+      headers.set(key, value);
+    }
+    return new Response(response.body, {
+      status: response.status,
+      headers,
+    });
   }
 
   const headers = new Headers(resHeaders);
diff --git a/packages/event-handler/src/rest/middleware/cors.ts b/packages/event-handler/src/rest/middleware/cors.ts
@@ -0,0 +1,98 @@
+import type {
+  CorsOptions,
+  Middleware,
+} from '../../types/rest.js';
+import {
+  DEFAULT_CORS_OPTIONS,
+  HttpErrorCodes,
+  HttpVerbs,
+} from '../constants.js';
+
+/**
+ * Resolves the origin value based on the configuration
+ */
+const resolveOrigin = (
+  originConfig: NonNullable<CorsOptions['origin']>,
+  requestOrigin: string | null,
+): string => {
+  if (Array.isArray(originConfig)) {
+    return requestOrigin && originConfig.includes(requestOrigin) ? requestOrigin : '';
+  }
+  return originConfig;
+};
+
+/**
+ * Creates a CORS middleware that adds appropriate CORS headers to responses
+ * and handles OPTIONS preflight requests.
+ *
+ * @example
+ * ```typescript
+ * import { Router } from '@aws-lambda-powertools/event-handler/experimental-rest';
+ * import { cors } from '@aws-lambda-powertools/event-handler/experimental-rest/middleware';
+ * 
+ * const app = new Router();
+ * 
+ * // Use default configuration
+ * app.use(cors());
+ *
+ * // Custom configuration
+ * app.use(cors({
+ *   origin: 'https://example.com',
+ *   allowMethods: ['GET', 'POST'],
+ *   credentials: true,
+ * }));
+ *
+ * // Dynamic origin with function
+ * app.use(cors({
+ *   origin: (origin, reqCtx) => {
+ *     const allowedOrigins = ['https://app.com', 'https://admin.app.com'];
+ *     return origin && allowedOrigins.includes(origin);
+ *   }
+ * }));
+ * ```
+ * 
+ * @param options.origin - The origin to allow requests from
+ * @param options.allowMethods - The HTTP methods to allow
+ * @param options.allowHeaders - The headers to allow
+ * @param options.exposeHeaders - The headers to expose
+ * @param options.credentials - Whether to allow credentials
+ * @param options.maxAge - The maximum age for the preflight response
+ */
+export const cors = (options?: CorsOptions): Middleware => {
+  const config = {
+    ...DEFAULT_CORS_OPTIONS,
+    ...options
+  };
+
+  return async (_params, reqCtx, next) => {
+    const requestOrigin = reqCtx.request.headers.get('Origin');
+    const resolvedOrigin = resolveOrigin(config.origin, requestOrigin);
+
+    reqCtx.res.headers.set('access-control-allow-origin', resolvedOrigin);
+    if (resolvedOrigin !== '*') {
+      reqCtx.res.headers.set('Vary', 'Origin');
+    }
+    config.allowMethods.forEach(method => {
+      reqCtx.res.headers.append('access-control-allow-methods', method);
+    });
+    config.allowHeaders.forEach(header => {
+      reqCtx.res.headers.append('access-control-allow-headers', header);
+    });
+    config.exposeHeaders.forEach(header => {
+      reqCtx.res.headers.append('access-control-expose-headers', header);
+    });
+    reqCtx.res.headers.set('access-control-allow-credentials', config.credentials.toString());
+    if (config.maxAge !== undefined) {
+      reqCtx.res.headers.set('access-control-max-age', config.maxAge.toString());
+    }
+
+    // Handle preflight OPTIONS request
+    if (reqCtx.request.method === HttpVerbs.OPTIONS && reqCtx.request.headers.has('Access-Control-Request-Method')) {
+      return new Response(null, {
+        status: HttpErrorCodes.NO_CONTENT,
+        headers: reqCtx.res.headers,
+      });
+    }
+    await next();
+  };
+};
diff --git a/packages/event-handler/src/rest/middleware/index.ts b/packages/event-handler/src/rest/middleware/index.ts
@@ -1 +1,2 @@
 export { compress } from './compress.js';
+export { cors } from './cors.js';
diff --git a/packages/event-handler/src/types/index.ts b/packages/event-handler/src/types/index.ts
@@ -32,6 +32,7 @@ export type {
 } from './common.js';
 
 export type {
+  CorsOptions,
   ErrorHandler,
   ErrorResolveOptions,
   ErrorResponse,
diff --git a/packages/event-handler/src/types/rest.ts b/packages/event-handler/src/types/rest.ts
@@ -111,13 +111,56 @@ type ValidationResult = {
   issues: string[];
 };
 
+/**
+ * Configuration options for CORS middleware
+ */
+type CorsOptions = {
+  /**
+   * The Access-Control-Allow-Origin header value.
+   * Can be a string, array of strings.
+   * @default '*'
+   */
+  origin?: string | string[];
+
+  /**
+   * The Access-Control-Allow-Methods header value.
+   * @default ['DELETE', 'GET', 'HEAD', 'PATCH', 'POST', 'PUT']
+   */
+  allowMethods?: string[];
+
+  /**
+   * The Access-Control-Allow-Headers header value.
+   * @default ['Authorization', 'Content-Type', 'X-Amz-Date', 'X-Api-Key', 'X-Amz-Security-Token']
+   */
+  allowHeaders?: string[];
+
+  /**
+   * The Access-Control-Expose-Headers header value.
+   * @default []
+   */
+  exposeHeaders?: string[];
+
+  /**
+   * The Access-Control-Allow-Credentials header value.
+   * @default false
+   */
+  credentials?: boolean;
+
+  /**
+   * The Access-Control-Max-Age header value in seconds.
+   * Only applicable for preflight requests.
+   */
+  maxAge?: number;
+};
+
 type CompressionOptions = {
   encoding?: 'gzip' | 'deflate';
   threshold?: number;
 };
 
 export type {
   CompiledRoute,
+  CorsOptions,
   DynamicRoute,
   ErrorResponse,
   ErrorConstructor,
diff --git a/packages/event-handler/tests/unit/rest/Router/decorators.test.ts b/packages/event-handler/tests/unit/rest/Router/decorators.test.ts
@@ -256,29 +256,32 @@ describe('Class: Router - Decorators', () => {
       });
     });
 
-    it('works with notFound decorator', async () => {
+    it('works with notFound decorator and preserves scope', async () => {
       // Prepare
       const app = new Router();
 
       class Lambda {
+        public scope = 'scoped';
+
         @app.notFound()
         public async handleNotFound(error: NotFoundError) {
           return {
             statusCode: HttpErrorCodes.NOT_FOUND,
             error: 'Not Found',
-            message: `Decorated: ${error.message}`,
+            message: `${this.scope}: ${error.message}`,
           };
         }
 
         public async handler(event: unknown, _context: Context) {
-          return app.resolve(event, _context);
+          return app.resolve(event, _context, { scope: this });
         }
       }
 
       const lambda = new Lambda();
+      const handler = lambda.handler.bind(lambda);
 
       // Act
-      const result = await lambda.handler(
+      const result = await handler(
         createTestEvent('/nonexistent', 'GET'),
         context
       );
@@ -289,7 +292,7 @@ describe('Class: Router - Decorators', () => {
         body: JSON.stringify({
           statusCode: HttpErrorCodes.NOT_FOUND,
           error: 'Not Found',
-          message: 'Decorated: Route /nonexistent for method GET not found',
+          message: 'scoped: Route /nonexistent for method GET not found',
         }),
         headers: { 'content-type': 'application/json' },
         isBase64Encoded: false,
diff --git a/packages/event-handler/tests/unit/rest/Router/middleware.test.ts b/packages/event-handler/tests/unit/rest/Router/middleware.test.ts
@@ -421,6 +421,33 @@ describe('Class: Router - Middleware', () => {
       });
     });
 
+    it('headers set by handler before next() take precedence', async () => {
+      // Prepare
+      const app = new Router();
+
+      app.use(async (_params, reqCtx, next) => {
+        reqCtx.res.headers.set('x-before-handler', 'middleware-value');
+        await next();
+      });
+
+      app.get('/handler-precedence', async () => {
+        const response = Response.json({ success: true });
+        response.headers.set('x-before-handler', 'handler-value');
+        return response;
+      });
+
+      // Act
+      const result = await app.resolve(
+        createTestEvent('/handler-precedence', 'GET'),
+        context
+      );
+
+      // Assess
+      expect(result.statusCode).toBe(200);
+      expect(result.headers?.['content-type']).toBe('application/json');
+      expect(result.headers?.['x-before-handler']).toBe('handler-value');
+    });
+
     it('overwrites headers when set later in the middleware stack', async () => {
       // Prepare
       const app = new Router();
@@ -455,6 +482,24 @@ describe('Class: Router - Middleware', () => {
       });
     });
 
+    it('executes global middleware even when route is not found', async () => {
+      // Prepare
+      const app = new Router();
+      const executionOrder: string[] = [];
+
+      const globalMiddleware = createTrackingMiddleware(
+        'global',
+        executionOrder
+      );
+      app.use(globalMiddleware);
+
+      // Act
+      await app.resolve(createTestEvent('/nonexistent', 'GET'), context);
+
+      // Assess
+      expect(executionOrder).toEqual(['global-start', 'global-end']);
+    });
+
     it('works with class decorators and preserves scope access', async () => {
       // Prepare
       const app = new Router();
diff --git a/packages/event-handler/tests/unit/rest/converters.test.ts b/packages/event-handler/tests/unit/rest/converters.test.ts
diff --git a/packages/event-handler/tests/unit/rest/helpers.ts b/packages/event-handler/tests/unit/rest/helpers.ts
diff --git a/packages/event-handler/tests/unit/rest/middleware/cors.test.ts b/packages/event-handler/tests/unit/rest/middleware/cors.test.ts

Original file line number	Diff line number	Diff line change
`@@ -1 +1,2 @@`
`1`	`1`	`export { compress } from './compress.js';`
	`2`	`+export { cors } from './cors.js';`