feat(event_handler): support multiple origins for cors

[michaelbrewer]

Issue #, if available:

• Support multiple Allowed Origins in CORS #1006

Description of changes:

WARNING: FOR RFC PURPOSES ONLY

Checklist

• Meet tenets criteria
• Update tests
• Update docs
• PR title follows conventional commit semantics

Breaking change checklist

RFC issue #:

• Migration process documented
• Implement warnings (if it can live side by side)

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

[walmsles]

The PR allows for multiple statically defined Origins. Some use cases may have more dynamic requirements, e.g. An API allowing only subscribed websites (origins) to consume the API from their front-end. This may be a more obscure use case and not the norm though - so need to apply the tenets to this comment as appropriate.

[codecov-commenter]

Codecov Report

Merging #1010 (1adce36) into develop (f62d07a) will increase coverage by 0.00%.
The diff coverage is 100.00%.

@@ Coverage Diff @@ ## develop #1010 +/- ## ======================================== Coverage 99.88% 99.88% ======================================== Files 119 119 Lines 5423 5432 +9 Branches 618 620 +2 ======================================== + Hits 5417 5426 +9  Misses 2 2 Partials 4 4 

Impacted Files	Coverage Δ
aws_lambda_powertools/event_handler/api_gateway.py	100.00% <100.00%> (ø)

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update f62d07a...1adce36. Read the comment docs.

[michaelbrewer]

have more dynamic requirements, e.g. An API allowing only subscribed websites (origins) to consume the API from

This is where people might shoot themselves in the foot ? :)

[walmsles]

Agree. Need to temper feature offered to close the loop on people doing silly things. Because CORS is generally well misunderstood 🙂

[michaelbrewer]

Agree. Need to temper feature offered to close the loop on people doing silly things. Because CORS is generally well misunderstood 🙂

And universally hated

[michaelbrewer]

(closing for now and will reopening when capacity is available for this)

[major-mayer]

I would relly love to see this getting merged soon.
We are using AWS Lambda Powertools with the Application Load Balancer (because of timeout limitation of the API Gateway), so there is no CORS configuration and we have to handle this ourselves.

The Lambda function is called from multiple origins, but it's a fixed list, so no dynamic matching needed.
This PR would be a very nice improvement, so that i don't have to manually check if the origin in the header is in my list of allowed origins.

[michaelbrewer]

@major-mayer - possibly August this might get some eyes.