Access-Control-Allow-Methods collects methods from multiple paths

Serverless Framework
1

We are experiencing issues with the Access-Control-Allow-Methods header when I enable CORS for lambdas exposed via API Gateway.

First, we have multiple lambdas exposed via the API Gateway, each with it’s own path and varying HTTP verbs. The response to OPTIONS requests for later paths include not only OPTIONS and the verbs specified for the current path, but also any verbs enabled for previous paths within serverless.yaml!

functions:
    funcA:
        handler: a
        events:
         - http:
            path: path-a
            method: GET
            cors:
              header: ${self:custom.corsHeaders}
    funcB:
        handler: b
        events:
         - http:
            path: path-b
            method: POST
            cors:
              header: ${self:custom.corsHeaders}

If I send OPTIONS to path-a I’ll get Access-Control-Allow-Methods: OPTIONS, GET but if I send it to path-b I get Access-Control-Allow-Methods: OPTIONS, GET, POST

Workaround: explicitly set cors.methods for each event.

(We’ve experienced several issues with cors responses, I can’t remember whether this one occurred when cors was set to true as well as when cors was defined as an object).

2

How about to define the methods directly in part of cors?

functions:
    funcA:
        handler: a
        events:
         - http:
            path: path-a
            method: GET
            cors:
              origins: "*"
              header: ${self:custom.corsHeaders}
              methods:
                  - GET
                  - OPTIONS
    funcB:
        handler: b
        events:
         - http:
            path: path-b
            method: POST
            cors:
              origins: "*"
              header: ${self:custom.corsHeaders}
              methods:
                  - POST
                  - OPTIONS