fix: addressed comments

Author: rubenfonseca

aws_lambda_powertools/event_handler/api_gateway.py

@@ -84,7 +84,7 @@ def with_cors():
 
     cors_config = CORSConfig(
         allow_origin="https://wwww.example.com/",
-        extra_origins=["https://www1.example.com/"],
+        extra_origins=["https://dev.example.com/"],
         expose_headers=["x-exposed-response-header"],
         allow_headers=["x-custom-request-header"],
         max_age=100,
@@ -132,9 +132,9 @@ def __init__(
         allow_credentials: bool
             A boolean value that sets the value of `Access-Control-Allow-Credentials`
         """
-        self.allowed_origins = [allow_origin]
+        self._allowed_origins = [allow_origin]
         if extra_origins:
-            self.allowed_origins.extend(extra_origins)
+            self._allowed_origins.extend(extra_origins)
         self.allow_headers = set(self._REQUIRED_HEADERS + (allow_headers or []))
         self.expose_headers = expose_headers or []
         self.max_age = max_age
@@ -149,7 +149,7 @@ def to_dict(self, origin: Optional[str]) -> Dict[str, str]:
 
         # If the origin doesn't match any of the allowed origins, and we don't allow all origins ("*"),
         # don't add any CORS headers
-        if origin not in self.allowed_origins and "*" not in self.allowed_origins:
+        if origin not in self._allowed_origins and "*" not in self._allowed_origins:
             return {}
 
         # The origin matched an allowed origin, so return the CORS headers

docs/core/event_handler/api_gateway.md

@@ -311,12 +311,13 @@ For convenience, these are the default values when using `CORSConfig` to enable
 ???+ warning
     Always configure `allow_origin` when using in production.
 
-???+ tip "Multiple allowed origins?"
-    If you require multiple allowed origins, pass the additional origins using the `extra_origins` key.
+???+ tip "Multiple origins?"
+    If you need to allow multiple origins, pass the additional origins using the `extra_origins` key.
 
 | Key                                                                                                                                          | Value                                                                        | Note                                                                                                                                                                      |
-| -------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+|----------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
 | **[allow_origin](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin){target="_blank"}**: `str`            | `*`                                                                          | Only use the default value for development. **Never use `*` for production** unless your use case requires it                                                             |
+| **[extra_origins](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin){target="_blank"}**: `List[str]`     | `[]`                                                                         | Additional origins to be allowed, in addition to the one specified in `allow_origin`                                                                                      |
 | **[allow_headers](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Headers){target="_blank"}**: `List[str]`    | `[Authorization, Content-Type, X-Amz-Date, X-Api-Key, X-Amz-Security-Token]` | Additional headers will be appended to the default list for your convenience                                                                                              |
 | **[expose_headers](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Expose-Headers){target="_blank"}**: `List[str]`  | `[]`                                                                         | Any additional header beyond the [safe listed by CORS specification](https://developer.mozilla.org/en-US/docs/Glossary/CORS-safelisted_response_header){target="_blank"}. |
 | **[max_age](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Max-Age){target="_blank"}**: `int`                      | ``                                                                           | Only for pre-flight requests if you choose to have your function to handle it instead of API Gateway                                                                      |

tests/functional/event_handler/test_api_gateway.py

@@ -547,7 +547,6 @@ def get_with_cors():
     result = app(event, None)
 
     # THEN routes by default return the custom cors headers
-    assert "multiValueHeaders" in result
     headers = result["multiValueHeaders"]
     assert headers["Content-Type"] == [content_types.APPLICATION_JSON]
     assert headers["Access-Control-Allow-Origin"] == ["https://origin3"]
@@ -557,7 +556,6 @@ def get_with_cors():
     result = app(event, None)
 
     # THEN routes by default return the custom cors headers
-    assert "multiValueHeaders" in result
     headers = result["multiValueHeaders"]
     assert headers["Content-Type"] == [content_types.APPLICATION_JSON]
     assert "Access-Control-Allow-Origin" not in headers
@@ -591,7 +589,7 @@ def another_one():
     assert "multiValueHeaders" in result
     headers = result["multiValueHeaders"]
     assert headers["Content-Type"] == [content_types.APPLICATION_JSON]
-    assert headers["Access-Control-Allow-Origin"] == [cors_config.allowed_origins[0]]
+    assert headers["Access-Control-Allow-Origin"] == ["https://foo1"]
     expected_allows_headers = [",".join(sorted(set(allow_header + cors_config._REQUIRED_HEADERS)))]
     assert headers["Access-Control-Allow-Headers"] == expected_allows_headers
     assert headers["Access-Control-Expose-Headers"] == [",".join(cors_config.expose_headers)]
@@ -689,8 +687,11 @@ def custom_preflight():
     def custom_method():
         ...
 
+    # AND the request includes an origin
+    headers = {"Origin": "https://example.org"}
+
     # WHEN calling the handler
-    result = app({"path": "/some-call", "httpMethod": "OPTIONS", "headers": {"Origin": "https://example.org"}}, None)
+    result = app({"path": "/some-call", "httpMethod": "OPTIONS", "headers": headers}, None)
 
     # THEN return the custom preflight response
     assert result["statusCode"] == 200