Custom host (cont.)

[huyphan]

I saw that we made some effort to make the hostname more customizable (relevant issues: #21 and #13). I think we can make it even more flexible by allowing consumer to opt-in the option to use, wait for it, Host header as the hostname.

In normal context, this is a terrible idea as Host header can't be trusted at all. In APIG/Lambda context -- which is what this library is about -- I think it's an acceptable option. The reason being, API Gateway and CloudFront already reject all the requests with irrelevant Host header. And those that hit Lambda are those that we can trust.

Hence, would using incoming Host header as hostname be something we can consider as an option?

[sapessi]

This library can also be used with ALB, which does not perform that validation as strictly as API Gateway. I have asked the API Gateway team to add a property with the full url of the client request to the proxy event. Once that new property comes in, I'll definitely switch to you. For now, I'm a bit skeptical of the Host header.

[huyphan]

Gotcha. I didn't realize the usage with ALB.

I understand the concern with Host header. And I agree that we should not use it as the default option. Since there's no timeline of when API Gateway team would introduce the new property (that I know of), I think it's reasonable to make this an optional feature to unblock users -- we allow people to opt-in and use it when they know what they are doing.

I think the code would be a bit messy if we want to support this, I'm just throwing the idea for now :)

[sapessi]

You could work around this simply by reading the proxy event in the handler method, looking for the Host header, and then setting the GO_API_HOST env variable before calling the Proxy method of this library.

[huyphan]

Yea we are currently using GO_API_HOST environment variable as a workaround. I was hoping for a goroutine-scoped way of doing that though.

I guess we can wait until API Gateway releases the desired property then. I'm going to close this issue for now.