Merge branch 'main' into dependabot/npm_and_yarn/aws-sdk-v3-24e39e0115

Author: sdangol

examples/snippets/package.json

@@ -43,7 +43,7 @@
     "@valkey/valkey-glide": "^2.1.0",
     "aws-sdk": "^2.1692.0",
     "aws-sdk-client-mock": "^4.1.0",
-    "zod": "^4.1.9"
+    "zod": "^4.1.11"
   },
   "dependencies": {
     "arktype": "^2.1.22",

package-lock.json

@@ -55,7 +55,7 @@
     "@types/node": "^24.5.2",
     "@vitest/coverage-v8": "^3.2.4",
     "husky": "^9.1.7",
-    "lint-staged": "^16.1.6",
+    "lint-staged": "^16.2.0",
     "markdownlint-cli2": "^0.18.1",
     "middy5": "npm:@middy/core@^5.4.3",
     "middy6": "npm:@middy/core@^6.0.0",

package.json

@@ -87,6 +87,6 @@
   "devDependencies": {
     "@aws-lambda-powertools/parser": "2.26.1",
     "@aws-lambda-powertools/testing-utils": "file:../testing",
-    "zod": "^4.1.9"
+    "zod": "^4.1.11"
   }
 }

packages/batch/package.json

@@ -164,9 +164,9 @@ class Router {
    *
    * @example
    * ```typescript
-   * const authMiddleware: Middleware = async (params, reqCtx, next) => {
+   * const authMiddleware: Middleware = async ({ params, reqCtx, next }) => {
    *   // Authentication logic
-   *   if (!isAuthenticated(reqCtx.request)) {
+   *   if (!isAuthenticated(reqCtx.req)) {
    *     return new Response('Unauthorized', { status: 401 });
    *   }
    *   await next();
@@ -215,23 +215,27 @@ class Router {
       };
     }
 
-    const request = proxyEventToWebRequest(event);
+    const req = proxyEventToWebRequest(event);
 
     const requestContext: RequestContext = {
       event,
       context,
-      request,
+      req,
       // this response should be overwritten by the handler, if it isn't
       // it means something went wrong with the middleware chain
       res: new Response('', { status: 500 }),
     };
 
     try {
-      const path = new URL(request.url).pathname as Path;
+      const path = new URL(req.url).pathname as Path;
 
       const route = this.routeRegistry.resolve(method, path);
 
-      const handlerMiddleware: Middleware = async (params, reqCtx, next) => {
+      const handlerMiddleware: Middleware = async ({
+        params,
+        reqCtx,
+        next,
+      }) => {
         if (route === null) {
           const notFoundRes = await this.handleError(
             new NotFoundError(`Route ${path} for method ${method} not found`),
@@ -263,11 +267,11 @@ class Router {
         handlerMiddleware,
       ]);
 
-      const middlewareResult = await middleware(
-        route?.params ?? {},
-        requestContext,
-        () => Promise.resolve()
-      );
+      const middlewareResult = await middleware({
+        params: route?.params ?? {},
+        reqCtx: requestContext,
+        next: () => Promise.resolve(),
+      });
 
       // middleware result takes precedence to allow short-circuiting
       const result = middlewareResult ?? requestContext.res;

packages/event-handler/src/rest/Router.ts

@@ -67,12 +67,10 @@ const compress = (options?: CompressionOptions): Middleware => {
   const threshold =
     options?.threshold ?? DEFAULT_COMPRESSION_RESPONSE_THRESHOLD;
 
-  return async (_, reqCtx, next) => {
+  return async ({ reqCtx, next }) => {
     await next();
 
-    if (
-      !shouldCompress(reqCtx.request, reqCtx.res, preferredEncoding, threshold)
-    ) {
+    if (!shouldCompress(reqCtx.req, reqCtx.res, preferredEncoding, threshold)) {
       return;
     }
 

packages/event-handler/src/rest/middleware/compress.ts

@@ -1,26 +1,10 @@
-import type {
-  CorsOptions,
-  Middleware,
-} from '../../types/rest.js';
+import type { CorsOptions, Middleware } from '../../types/rest.js';
 import {
   DEFAULT_CORS_OPTIONS,
   HttpErrorCodes,
   HttpVerbs,
 } from '../constants.js';
 
-/**
- * Resolves the origin value based on the configuration
- */
-const resolveOrigin = (
-  originConfig: NonNullable<CorsOptions['origin']>,
-  requestOrigin: string | null,
-): string => {
-  if (Array.isArray(originConfig)) {
-    return requestOrigin && originConfig.includes(requestOrigin) ? requestOrigin : '';
-  }
-  return originConfig;
-};
-
 /**
  * Creates a CORS middleware that adds appropriate CORS headers to responses
  * and handles OPTIONS preflight requests.
@@ -29,9 +13,9 @@ const resolveOrigin = (
  * ```typescript
  * import { Router } from '@aws-lambda-powertools/event-handler/experimental-rest';
  * import { cors } from '@aws-lambda-powertools/event-handler/experimental-rest/middleware';
- * 
+ *
  * const app = new Router();
- * 
+ *
  * // Use default configuration
  * app.use(cors());
  *
@@ -50,7 +34,7 @@ const resolveOrigin = (
  *   }
  * }));
  * ```
- * 
+ *
  * @param options.origin - The origin to allow requests from
  * @param options.allowMethods - The HTTP methods to allow
  * @param options.allowHeaders - The headers to allow
@@ -61,38 +45,93 @@ const resolveOrigin = (
 export const cors = (options?: CorsOptions): Middleware => {
   const config = {
     ...DEFAULT_CORS_OPTIONS,
-    ...options
+    ...options,
   };
+  const allowedOrigins =
+    typeof config.origin === 'string' ? [config.origin] : config.origin;
+  const allowsWildcard = allowedOrigins.includes('*');
+  const allowedMethods = config.allowMethods.map((method) =>
+    method.toUpperCase()
+  );
+  const allowedHeaders = config.allowHeaders.map((header) =>
+    header.toLowerCase()
+  );
 
-  return async (_params, reqCtx, next) => {
-    const requestOrigin = reqCtx.request.headers.get('Origin');
-    const resolvedOrigin = resolveOrigin(config.origin, requestOrigin);
+  const isOriginAllowed = (
+    requestOrigin: string | null
+  ): requestOrigin is string => {
+    return (
+      requestOrigin !== null &&
+      (allowsWildcard || allowedOrigins.includes(requestOrigin))
+    );
+  };
 
-    reqCtx.res.headers.set('access-control-allow-origin', resolvedOrigin);
-    if (resolvedOrigin !== '*') {
-      reqCtx.res.headers.set('Vary', 'Origin');
+  const isValidPreflightRequest = (requestHeaders: Headers) => {
+    const accessControlRequestMethod = requestHeaders
+      .get('Access-Control-Request-Method')
+      ?.toUpperCase();
+    const accessControlRequestHeaders = requestHeaders
+      .get('Access-Control-Request-Headers')
+      ?.toLowerCase();
+    return (
+      accessControlRequestMethod &&
+      allowedMethods.includes(accessControlRequestMethod) &&
+      accessControlRequestHeaders
+        ?.split(',')
+        .every((header) => allowedHeaders.includes(header.trim()))
+    );
+  };
+
+  const setCORSBaseHeaders = (
+    requestOrigin: string,
+    responseHeaders: Headers
+  ) => {
+    const resolvedOrigin = allowsWildcard ? '*' : requestOrigin;
+    responseHeaders.set('access-control-allow-origin', resolvedOrigin);
+    if (!allowsWildcard && Array.isArray(config.origin)) {
+      responseHeaders.set('vary', 'Origin');
     }
-    config.allowMethods.forEach(method => {
-      reqCtx.res.headers.append('access-control-allow-methods', method);
-    });
-    config.allowHeaders.forEach(header => {
-      reqCtx.res.headers.append('access-control-allow-headers', header);
-    });
-    config.exposeHeaders.forEach(header => {
-      reqCtx.res.headers.append('access-control-expose-headers', header);
-    });
-    reqCtx.res.headers.set('access-control-allow-credentials', config.credentials.toString());
-    if (config.maxAge !== undefined) {
-      reqCtx.res.headers.set('access-control-max-age', config.maxAge.toString());
+    if (config.credentials) {
+      responseHeaders.set('access-control-allow-credentials', 'true');
+    }
+  };
+
+  return async ({ reqCtx, next }) => {
+    const requestOrigin = reqCtx.req.headers.get('Origin');
+    if (!isOriginAllowed(requestOrigin)) {
+      await next();
+      return;
     }
 
     // Handle preflight OPTIONS request
-    if (reqCtx.request.method === HttpVerbs.OPTIONS && reqCtx.request.headers.has('Access-Control-Request-Method')) {
+    if (reqCtx.req.method === HttpVerbs.OPTIONS) {
+      if (!isValidPreflightRequest(reqCtx.req.headers)) {
+        await next();
+        return;
+      }
+      setCORSBaseHeaders(requestOrigin, reqCtx.res.headers);
+      if (config.maxAge !== undefined) {
+        reqCtx.res.headers.set(
+          'access-control-max-age',
+          config.maxAge.toString()
+        );
+      }
+      for (const method of allowedMethods) {
+        reqCtx.res.headers.append('access-control-allow-methods', method);
+      }
+      for (const header of allowedHeaders) {
+        reqCtx.res.headers.append('access-control-allow-headers', header);
+      }
       return new Response(null, {
         status: HttpErrorCodes.NO_CONTENT,
         headers: reqCtx.res.headers,
       });
     }
+
+    setCORSBaseHeaders(requestOrigin, reqCtx.res.headers);
+    for (const header of config.exposeHeaders) {
+      reqCtx.res.headers.append('access-control-expose-headers', header);
+    }
     await next();
   };
 };

packages/event-handler/src/rest/middleware/cors.ts

@@ -6,7 +6,6 @@ import type {
   HttpMethod,
   Middleware,
   Path,
-  RequestContext,
   ValidationResult,
 } from '../types/rest.js';
 import {
@@ -129,13 +128,13 @@ export const isAPIGatewayProxyResult = (
  *
  * @example
  * ```typescript
- * const middleware1: Middleware = async (params, options, next) => {
+ * const middleware1: Middleware = async ({params, options, next}) => {
  *   console.log('middleware1 start');
  *   await next();
  *   console.log('middleware1 end');
  * };
  *
- * const middleware2: Middleware = async (params, options, next) => {
+ * const middleware2: Middleware = async ({params, options, next}) => {
  *   console.log('middleware2 start');
  *   await next();
  *   console.log('middleware2 end');
@@ -151,11 +150,7 @@ export const isAPIGatewayProxyResult = (
  * ```
  */
 export const composeMiddleware = (middleware: Middleware[]): Middleware => {
-  return async (
-    params: Record<string, string>,
-    reqCtx: RequestContext,
-    next: () => Promise<HandlerResponse | void>
-  ): Promise<HandlerResponse | void> => {
+  return async ({ params, reqCtx, next }): Promise<HandlerResponse | void> => {
     let index = -1;
     let result: HandlerResponse | undefined;
 
@@ -181,7 +176,11 @@ export const composeMiddleware = (middleware: Middleware[]): Middleware => {
         return result;
       };
 
-      const middlewareResult = await middlewareFn(params, reqCtx, nextFn);
+      const middlewareResult = await middlewareFn({
+        params,
+        reqCtx,
+        next: nextFn,
+      });
 
       if (nextPromise && !nextAwaited && i < middleware.length - 1) {
         throw new Error(

packages/event-handler/src/rest/utils.ts

@@ -15,7 +15,7 @@ type ErrorResponse = {
 };
 
 type RequestContext = {
-  request: Request;
+  req: Request;
   event: APIGatewayProxyEvent;
   context: Context;
   res: Response;
@@ -86,11 +86,11 @@ type RestRouteOptions = {
 
 type NextFunction = () => Promise<HandlerResponse | void>;
 
-type Middleware = (
-  params: Record<string, string>,
-  reqCtx: RequestContext,
-  next: NextFunction
-) => Promise<void | HandlerResponse>;
+type Middleware = (args: {
+  params: Record<string, string>;
+  reqCtx: RequestContext;
+  next: NextFunction;
+}) => Promise<void | HandlerResponse>;
 
 type RouteRegistryOptions = {
   /**

packages/event-handler/src/types/rest.ts

@@ -91,7 +91,7 @@ describe('Class: Router - Basic Routing', () => {
 
     app.get('/test', async (_params, reqCtx) => {
       return {
-        hasRequest: reqCtx.request instanceof Request,
+        hasRequest: reqCtx.req instanceof Request,
         hasEvent: reqCtx.event === testEvent,
         hasContext: reqCtx.context === context,
       };