When defining APIG http events the code now forces creation of mappings for both application/json
as well as application/x-www-form-urlencoded
. While you can override the template, there is no way to exclude these mappings (i.e., I only want to allow json requests on an endpoint)
This change was recently introduced via this commit into lib/plugins/aws/deploy/compile/events/apiGateway/lib/methods.js:
const integrationRequestTemplates = {
'application/json': DEFAULT_JSON_REQUEST_TEMPLATE,
'application/x-www-form-urlencoded': DEFAULT_FORM_URL_ENCODED_REQUEST_TEMPLATE,
};
While I think it's incredibly useful to have these 2 options (and templates pre-defined), I think it would be best to allow the user to optionally include only the templates they want.
Something like the following might make sense:
functions:
create:
handler: posts.create
events:
- http:
method: get
path: whatever
request:
template:
text/xhtml: { "stage" : "$context.stage" } # add additional template
application/json: { "httpMethod" : "$context.httpMethod" } # add mapping and override default template
application/x-www-form-urlencoded: true # add mapping and use default template
With the current open issue (#1168) around APIG pass through behavior, and a pending PR (#1992) to address it, this becomes more important to be able to fully restrict methods to desired Content-Types.
I definitely like the idea of the feature to be able to really lock down the default templates, but imho it would have to happen for the whole service.
My assumption is that if you want to completely lock down the default templates you'll want to do this in every method across your service. So I think I'd prefer something like
provider:
apigateway:
default-request-templates: false
Otherwise you'd have to duplicate configuration like crazy (which is already necessary for example when you want to set separate templates for several functions, but imho less of a problem because you only need this for events that have request data.
But I'm not sure yet :D. @serverless/vip any thoughts on that, especially @HyperBrain ?
This should be possible with this now: https://serverless.com/framework/docs/providers/aws/events/apigateway#custom-request-templates
@flomotlik How do custom templates address the OP use case of simply opting out of the default application/x-www-form-urlencoded
template, without the need to create a custom template for application/json
?
Most helpful comment
I definitely like the idea of the feature to be able to really lock down the default templates, but imho it would have to happen for the whole service.
My assumption is that if you want to completely lock down the default templates you'll want to do this in every method across your service. So I think I'd prefer something like
Otherwise you'd have to duplicate configuration like crazy (which is already necessary for example when you want to set separate templates for several functions, but imho less of a problem because you only need this for events that have request data.
But I'm not sure yet :D. @serverless/vip any thoughts on that, especially @HyperBrain ?