feat: not check cognito User Pool Authorizers for OPTIONS method (#1834)

OPTIONS requests should be allowed without authentication. OPTIONS is the HTTP method used for CORS-preflight requests and the [CORS specification](https://fetch.spec.whatwg.org/#cors-protocol-and-credentials) confirms as follows: a CORS-preflight request never includes credentials.
cdklabs · Nov 14, 2024 · e9dfd46 · e9dfd46
1 parent 0999170
commit e9dfd46
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 6 deletions.
diff --git a/src/rules/cognito/CognitoUserPoolAPIGWAuthorizer.ts b/src/rules/cognito/CognitoUserPoolAPIGWAuthorizer.ts
@@ -5,7 +5,7 @@ SPDX-License-Identifier: Apache-2.0
 import { parse } from 'path';
 import { CfnResource } from 'aws-cdk-lib';
 import { CfnMethod } from 'aws-cdk-lib/aws-apigateway';
-import { NagRuleCompliance } from '../../nag-rules';
+import { NagRuleCompliance, NagRules } from '../../nag-rules';
 
 /**
  * Rest API methods use Cognito User Pool Authorizers
@@ -14,6 +14,10 @@ import { NagRuleCompliance } from '../../nag-rules';
 export default Object.defineProperty(
   (node: CfnResource): NagRuleCompliance => {
     if (node instanceof CfnMethod) {
+      const httpMethod = NagRules.resolveIfPrimitive(node, node.httpMethod);
+      if (httpMethod === 'OPTIONS') {
+        return NagRuleCompliance.NOT_APPLICABLE;
+      }
       if (node.authorizationType !== 'COGNITO_USER_POOLS') {
         return NagRuleCompliance.NON_COMPLIANT;
       }

diff --git a/test/rules/Cognito.test.ts b/test/rules/Cognito.test.ts
@@ -2,15 +2,15 @@
 Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
 SPDX-License-Identifier: Apache-2.0
 */
-import { RestApi, AuthorizationType } from 'aws-cdk-lib/aws-apigateway';
+import { AuthorizationType, Cors, RestApi } from 'aws-cdk-lib/aws-apigateway';
 import {
-  UserPool,
-  Mfa,
-  CfnUserPool,
   CfnIdentityPool,
+  CfnUserPool,
+  Mfa,
+  UserPool,
 } from 'aws-cdk-lib/aws-cognito';
 import { Aspects, Stack } from 'aws-cdk-lib/core';
-import { validateStack, TestType, TestPack } from './utils';
+import { TestPack, TestType, validateStack } from './utils';
 import {
   CognitoUserPoolAPIGWAuthorizer,
   CognitoUserPoolAdvancedSecurityModeEnforced,
@@ -114,6 +114,15 @@ describe('Amazon Cognito', () => {
       });
       validateStack(stack, ruleId, TestType.COMPLIANCE);
     });
+
+    test('Compliance 2', () => {
+      new RestApi(stack, 'Rest', {
+        defaultCorsPreflightOptions: {
+          allowOrigins: Cors.ALL_ORIGINS,
+        },
+      });
+      validateStack(stack, ruleId, TestType.COMPLIANCE);
+    });
   });
 
   describe('CognitoUserPoolNoUnauthenticatedLogins: Cognito identity pools do not allow for unauthenticated logins without a valid reason', () => {