Bug: ALB with multiValueHeaders will not return correct CORS headers in OPTIONS preflight

[tonnico]

Expected Behaviour

An OPTIONS preflight should return all "Access-Control-*" headers.

Current Behaviour

powertools-lambda-python/aws_lambda_powertools/event_handler/api_gateway.py

Line 2132 in 87d580a

headers.update(self._cors.to_dict(self.current_event.get_header_value("Origin")))

will only fetch "headers" from the event. This will return None in an ALBEvent with multiValueHeaders enabled.

Code snippet

cors = CORSConfig(
    allow_origin="*",
    allow_credentials=True,
)

app = ALBResolver(cors=cors)

Possible Solution

_origin_header = self.current_event.resolved_headers_field.get("origin")  # case insensitive?!?
_origin = _origin_header if isinstance(_origin_header, str) else _origin_header.pop(None)
headers.update(self._cors.to_dict(_origin))

Steps to Reproduce

curl -X OPTIONS https://xxx.amazonaws.com -H "origin: http://example.com"

... snip
< HTTP/2 204
< server: awselb/2.0
< date: Tue, 14 May 2024 09:06:13 GMT
< access-control-allow-methods: CONNECT,DELETE,GET,HEAD,OPTIONS,PATCH,POST,PUT,TRACE

Powertools for AWS Lambda (Python) version

latest

AWS Lambda function runtime

3.12

Packaging format used

Lambda Layers

Debugging logs

No response

[leandrodamascena]

Hi @wurstnase! Thanks for opening this issue! I'm adding this to the backlog and an alert on my calendar to check next week.

[leandrodamascena]

Hey @wurstnase! I created a PR to fix this issue - #4385

Thanks for bringing an idea on how to solve this problem. I had to make some additional debugging to ensure that it works with all of our Resolvers. The fix allows us to handle both single and multi-header scenarios without any issues.

Can you pls review the PR and let me know if you have any other feedback. I'm looking forward to getting this fix merged and deployed to production. 🚀