From 7d2b6f0d01ccaa494730be5fdf91952f90b45a7a Mon Sep 17 00:00:00 2001
From: Nathan Curtis <nathan.curtis@gmail.com>
Date: Tue, 22 Oct 2024 15:09:41 -0700
Subject: [PATCH] [TM-1273] Don't allow OPTIONS to leak through to the service.

---
 apps/api-gateway/lib/api-gateway-stack.ts | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/apps/api-gateway/lib/api-gateway-stack.ts b/apps/api-gateway/lib/api-gateway-stack.ts
index 84cf4f8e..1681612c 100644
--- a/apps/api-gateway/lib/api-gateway-stack.ts
+++ b/apps/api-gateway/lib/api-gateway-stack.ts
@@ -85,7 +85,7 @@ export class ApiGatewayStack extends Stack {
           CorsHttpMethod.OPTIONS,
         ],
         allowOrigins: ["*"],
-        allowHeaders: ['authorization,content-type'],
+        allowHeaders: ['authorization', 'content-type'],
       },
     }
     if (!IS_DEV) {
@@ -154,7 +154,7 @@ export class ApiGatewayStack extends Stack {
 
     this.httpApi.addRoutes({
       path: path,
-      methods: [HttpMethod.ANY],
+      methods: [HttpMethod.GET, HttpMethod.DELETE, HttpMethod.POST, HttpMethod.PATCH, HttpMethod.PUT],
       integration: lambdaIntegration,
     })
   }
@@ -162,7 +162,7 @@ export class ApiGatewayStack extends Stack {
   private addHttpUrlProxy (name: string, sourcePath: string, targetUrl: string) {
     this.httpApi.addRoutes({
       path: sourcePath,
-      methods: [HttpMethod.ANY],
+      methods: [HttpMethod.GET, HttpMethod.DELETE, HttpMethod.POST, HttpMethod.PATCH, HttpMethod.PUT],
       integration: new HttpUrlIntegration(name, targetUrl),
     });
   }
@@ -190,7 +190,7 @@ export class ApiGatewayStack extends Stack {
 
     this.httpApi.addRoutes({
       path: sourcePath,
-      methods: [HttpMethod.ANY],
+      methods: [HttpMethod.GET, HttpMethod.DELETE, HttpMethod.POST, HttpMethod.PATCH, HttpMethod.PUT],
       integration: new HttpAlbIntegration(name, serviceListener, { vpcLink: this._vpcLink })
     })
   }