Merge branch 'main' into dependabot/npm_and_yarn/main/esbuild-0.25.10

Author: svozza

docs/requirements.in

@@ -3,4 +3,4 @@ mkdocs-material==9.6.20
 mkdocs-git-revision-date-plugin==0.3.2
 mkdocs-exclude==1.0.2
 mkdocs-typedoc==1.0.4
-mkdocs-llmstxt==0.3.1
+mkdocs-llmstxt==0.3.2

docs/requirements.txt

@@ -274,9 +274,9 @@ mkdocs-get-deps==0.2.0 \
 mkdocs-git-revision-date-plugin==0.3.2 \
     --hash=sha256:2e67956cb01823dd2418e2833f3623dee8604cdf223bddd005fe36226a56f6ef
     # via -r requirements.in
-mkdocs-llmstxt==0.3.1 \
-    --hash=sha256:123119d9b984c1d1224ed5af250bfbc49879ad83decdaff59d8b0ebb459ddc54 \
-    --hash=sha256:31f5b6aaae6123c09a2b1c32912c3eb21ccb356b5db7abb867f105e8cc392653
+mkdocs-llmstxt==0.3.2 \
+    --hash=sha256:dd63acb8257fca3244058fd820acd4700c1626dbe48ad3a1a2cc9c599f8e4b7f \
+    --hash=sha256:fb363205d6f1452411dc5069f62012cb6b29e1788f6db9cc17793bdca7eabea8
     # via -r requirements.in
 mkdocs-material==9.6.20 \
     --hash=sha256:b8d8c8b0444c7c06dd984b55ba456ce731f0035c5a1533cc86793618eb1e6c82 \

examples/app/package.json

@@ -29,7 +29,7 @@
   },
   "devDependencies": {
     "@types/aws-lambda": "^8.10.152",
-    "@types/node": "24.5.1",
+    "@types/node": "24.5.2",
     "aws-cdk-lib": "^2.214.0",
     "constructs": "^10.4.2",
     "source-map-support": "^0.5.21",
@@ -48,7 +48,7 @@
     "@aws-sdk/lib-dynamodb": "^3.888.0",
     "@middy/core": "^4.7.0",
     "@types/aws-lambda": "^8.10.152",
-    "@types/node": "24.5.1",
+    "@types/node": "24.5.2",
     "aws-cdk": "^2.1029.1",
     "constructs": "^10.4.2",
     "esbuild": "^0.25.10",

package-lock.json

@@ -52,7 +52,7 @@
   "devDependencies": {
     "@biomejs/biome": "^2.2.4",
     "@types/aws-lambda": "^8.10.152",
-    "@types/node": "^24.5.1",
+    "@types/node": "^24.5.2",
     "@vitest/coverage-v8": "^3.2.4",
     "husky": "^9.1.7",
     "lint-staged": "^16.1.6",

package.json

@@ -226,33 +226,40 @@ class Router {
 
       const route = this.routeRegistry.resolve(method, path);
 
-      if (route === null) {
-        throw new NotFoundError(`Route ${path} for method ${method} not found`);
-      }
-
-      const handler =
-        options?.scope != null
-          ? route.handler.bind(options.scope)
-          : route.handler;
-
       const handlerMiddleware: Middleware = async (params, reqCtx, next) => {
-        const handlerResult = await handler(params, reqCtx);
-        reqCtx.res = handlerResultToWebResponse(
-          handlerResult,
-          reqCtx.res.headers
-        );
+        if (route === null) {
+          const notFoundRes = await this.handleError(
+            new NotFoundError(`Route ${path} for method ${method} not found`),
+            { ...reqCtx, scope: options?.scope }
+          );
+          reqCtx.res = handlerResultToWebResponse(
+            notFoundRes,
+            reqCtx.res.headers
+          );
+        } else {
+          const handler =
+            options?.scope != null
+              ? route.handler.bind(options.scope)
+              : route.handler;
+
+          const handlerResult = await handler(params, reqCtx);
+          reqCtx.res = handlerResultToWebResponse(
+            handlerResult,
+            reqCtx.res.headers
+          );
+        }
 
         await next();
       };
 
       const middleware = composeMiddleware([
         ...this.middleware,
-        ...route.middleware,
+        ...(route?.middleware ?? []),
         handlerMiddleware,
       ]);
 
       const middlewareResult = await middleware(
-        route.params,
+        route?.params ?? {},
         requestContext,
         () => Promise.resolve()
       );

packages/event-handler/src/rest/Router.ts

@@ -88,6 +88,23 @@ export const SAFE_CHARS = "-._~()'!*:@,;=+&$";
 
 export const UNSAFE_CHARS = '%<> \\[\\]{}|^';
 
+/**
+ * Default CORS configuration
+ */
+export const DEFAULT_CORS_OPTIONS = {
+  origin: '*',
+  allowMethods: ['DELETE', 'GET', 'HEAD', 'PATCH', 'POST', 'PUT'],
+  allowHeaders: [
+    'Authorization',
+    'Content-Type',
+    'X-Amz-Date',
+    'X-Api-Key',
+    'X-Amz-Security-Token',
+  ],
+  exposeHeaders: [],
+  credentials: false
+};
+
 export const DEFAULT_COMPRESSION_RESPONSE_THRESHOLD = 1024;
 
 export const CACHE_CONTROL_NO_TRANSFORM_REGEX =

packages/event-handler/src/rest/constants.ts

@@ -140,7 +140,14 @@ export const handlerResultToWebResponse = (
   resHeaders?: Headers
 ): Response => {
   if (response instanceof Response) {
-    return response;
+    const headers = new Headers(resHeaders);
+    for (const [key, value] of response.headers.entries()) {
+      headers.set(key, value);
+    }
+    return new Response(response.body, {
+      status: response.status,
+      headers,
+    });
   }
 
   const headers = new Headers(resHeaders);

packages/event-handler/src/rest/converters.ts

@@ -0,0 +1,98 @@
+import type {
+  CorsOptions,
+  Middleware,
+} from '../../types/rest.js';
+import {
+  DEFAULT_CORS_OPTIONS,
+  HttpErrorCodes,
+  HttpVerbs,
+} from '../constants.js';
+
+/**
+ * Resolves the origin value based on the configuration
+ */
+const resolveOrigin = (
+  originConfig: NonNullable<CorsOptions['origin']>,
+  requestOrigin: string | null,
+): string => {
+  if (Array.isArray(originConfig)) {
+    return requestOrigin && originConfig.includes(requestOrigin) ? requestOrigin : '';
+  }
+  return originConfig;
+};
+
+/**
+ * Creates a CORS middleware that adds appropriate CORS headers to responses
+ * and handles OPTIONS preflight requests.
+ *
+ * @example
+ * ```typescript
+ * import { Router } from '@aws-lambda-powertools/event-handler/experimental-rest';
+ * import { cors } from '@aws-lambda-powertools/event-handler/experimental-rest/middleware';
+ * 
+ * const app = new Router();
+ * 
+ * // Use default configuration
+ * app.use(cors());
+ *
+ * // Custom configuration
+ * app.use(cors({
+ *   origin: 'https://example.com',
+ *   allowMethods: ['GET', 'POST'],
+ *   credentials: true,
+ * }));
+ *
+ * // Dynamic origin with function
+ * app.use(cors({
+ *   origin: (origin, reqCtx) => {
+ *     const allowedOrigins = ['https://app.com', 'https://admin.app.com'];
+ *     return origin && allowedOrigins.includes(origin);
+ *   }
+ * }));
+ * ```
+ * 
+ * @param options.origin - The origin to allow requests from
+ * @param options.allowMethods - The HTTP methods to allow
+ * @param options.allowHeaders - The headers to allow
+ * @param options.exposeHeaders - The headers to expose
+ * @param options.credentials - Whether to allow credentials
+ * @param options.maxAge - The maximum age for the preflight response
+ */
+export const cors = (options?: CorsOptions): Middleware => {
+  const config = {
+    ...DEFAULT_CORS_OPTIONS,
+    ...options
+  };
+
+  return async (_params, reqCtx, next) => {
+    const requestOrigin = reqCtx.request.headers.get('Origin');
+    const resolvedOrigin = resolveOrigin(config.origin, requestOrigin);
+
+    reqCtx.res.headers.set('access-control-allow-origin', resolvedOrigin);
+    if (resolvedOrigin !== '*') {
+      reqCtx.res.headers.set('Vary', 'Origin');
+    }
+    config.allowMethods.forEach(method => {
+      reqCtx.res.headers.append('access-control-allow-methods', method);
+    });
+    config.allowHeaders.forEach(header => {
+      reqCtx.res.headers.append('access-control-allow-headers', header);
+    });
+    config.exposeHeaders.forEach(header => {
+      reqCtx.res.headers.append('access-control-expose-headers', header);
+    });
+    reqCtx.res.headers.set('access-control-allow-credentials', config.credentials.toString());
+    if (config.maxAge !== undefined) {
+      reqCtx.res.headers.set('access-control-max-age', config.maxAge.toString());
+    }
+
+    // Handle preflight OPTIONS request
+    if (reqCtx.request.method === HttpVerbs.OPTIONS && reqCtx.request.headers.has('Access-Control-Request-Method')) {
+      return new Response(null, {
+        status: HttpErrorCodes.NO_CONTENT,
+        headers: reqCtx.res.headers,
+      });
+    }
+    await next();
+  };
+};

packages/event-handler/src/rest/middleware/cors.ts

@@ -1 +1,2 @@
 export { compress } from './compress.js';
+export { cors } from './cors.js';