H
Hono9mo ago
nullfox

Hono CORS lambda duplicate headers

I'm using Hono with Lambda and managing CORS myself instead of using AWS API Gateway CORS configuration. My code looks like 
import { Hono, Context as HonoContext } from 'hono';
import { cors as corsMiddleware } from 'hono/cors';

import { upsertInvoice } from './embed/routes/v1/upsertInvoice.js';

const routes = [
    {
        method: ['POST'],
        path: '/v1/invoices',
        handler: upsertInvoice,
    },
];

export const server = new Hono();

const cors = corsMiddleware({
    allowMethods: ['GET', 'POST', 'OPTIONS'],
    allowHeaders: [
        'Content-Type',
        'X-Amz-Date',
        'Authorization',
        'X-Api-Key',
        'X-Amz-Security-Token',
    ],
    origin: '*',
});

routes.forEach((route) => {
    // Register the actual route
    server.on(route.method, route.path, route.handler);

    // Register cors for the route
    server.on(['OPTIONS'], route.path, cors);
});
import { Hono, Context as HonoContext } from 'hono';
import { cors as corsMiddleware } from 'hono/cors';

import { upsertInvoice } from './embed/routes/v1/upsertInvoice.js';

const routes = [
    {
        method: ['POST'],
        path: '/v1/invoices',
        handler: upsertInvoice,
    },
];

export const server = new Hono();

const cors = corsMiddleware({
    allowMethods: ['GET', 'POST', 'OPTIONS'],
    allowHeaders: [
        'Content-Type',
        'X-Amz-Date',
        'Authorization',
        'X-Api-Key',
        'X-Amz-Security-Token',
    ],
    origin: '*',
});

routes.forEach((route) => {
    // Register the actual route
    server.on(route.method, route.path, route.handler);

    // Register cors for the route
    server.on(['OPTIONS'], route.path, cors);
});
When I deploy this to AWS and do an OPTIONS request to that endpoint, I'm getting duplicate CORS headers like: 
< date: Wed, 31 Jul 2024 17:38:25 GMT
< access-control-allow-headers: Content-Type,X-Amz-Date,Authorization,X-Api-Key,X-Amz-Security-Token
< access-control-allow-headers: Content-Type,X-Amz-Date,Authorization,X-Api-Key,X-Amz-Security-Token
< access-control-allow-methods: GET,POST,OPTIONS
< access-control-allow-methods: GET,POST,OPTIONS
< access-control-allow-origin: *
< access-control-allow-origin: *
< vary: Access-Control-Request-Headers
< vary: Access-Control-Request-Headers
< apigw-requestid: byd2yghRIAMEPdA=
< date: Wed, 31 Jul 2024 17:38:25 GMT
< access-control-allow-headers: Content-Type,X-Amz-Date,Authorization,X-Api-Key,X-Amz-Security-Token
< access-control-allow-headers: Content-Type,X-Amz-Date,Authorization,X-Api-Key,X-Amz-Security-Token
< access-control-allow-methods: GET,POST,OPTIONS
< access-control-allow-methods: GET,POST,OPTIONS
< access-control-allow-origin: *
< access-control-allow-origin: *
< vary: Access-Control-Request-Headers
< vary: Access-Control-Request-Headers
< apigw-requestid: byd2yghRIAMEPdA=
I'm unclear on what I'm doing wrong that wouldo generate these dupe headers that breaks CORS
8 Replies
Danilo
Danilo2mo ago
I have the same problem, do you solved? @nullfox
ambergristle
ambergristle2mo ago
It’s probably the loop
Danilo
Danilo2mo ago
what loop? 😅
ambergristle
ambergristle2mo ago
the forEach though ig i'd expect the value to just get overwritten
ambergristle
ambergristle2mo ago
seems like it could be a known bug: https://github.com/honojs/hono/issues/3870
GitHub
aws-lambda duplicate headers in API Gateway V1 response · Issue #38...
What version of Hono are you using? 4.6.17 What runtime/platform is your app running on? (with version if possible) AWS Lambda/NodeJS 20 What steps can reproduce the bug? If an incoming request eve...
Danilo
Danilo2mo ago
jesus this is my situation
ambergristle
ambergristle2mo ago
rip might be worth following up on the issue
Danilo
Danilo2mo ago
something has moved

Did you find this page helpful?