I've implement security in my API Gateway. I want to add Access-Control-Allow-Origin response header when the token provided from client is invalid (401). Please help me how to solve it. I have tried many ways but I still can't solve this problem. Thank you
Fyi i'm using Cloud Function for my backend
swagger: '2.0'
info:
title: mishirin-reward-api
description: Mishirin Reward API
version: 2.0.0
schemes:
- https
produces:
- application/json
paths:
/generateQrCodeUser:
post:
summary: Generate QR Code User
consumes:
- application/json
operationId: generateQrCodeUser
x-google-backend:
address: cloudFunctionAddress
responses:
'200':
description: Successful response
schema:
type: string
'401':
description: Unauthorized
headers:
Access-Control-Allow-Origin:
type: string
description: Access Control Allow Origin
default: '*'
'429':
description: Too Many Request
headers:
Access-Control-Allow-Origin:
type: string
description: Access Control Allow Origin
default: '*'
x-google-cors:
- maxAgeSeconds: 3600
origin: '*'
headers:
- Access-Control-Allow-Origin
- Content-Type
responseHeader:
- Access-Control-Allow-Origin
- Content-Type
exposeHeaders:
- Access-Control-Allow-Origin
security:
- firebase: []
options:
summary: CORS Generate QR Code User
consumes:
- application/json
operationId: CORSOPTIONSgenerateQrCodeUser
x-google-backend:
address: cloudFunctionAddress
responses:
'200':
description: Successful response
schema:
type: string
'401':
description: Unauthorized
headers:
Access-Control-Allow-Origin:
type: string
description: Access Control Allow Origin
default: '*'
'429':
description: Too Many Request
headers:
Access-Control-Allow-Origin:
type: string
description: Access Control Allow Origin
default: '*'
x-google-cors:
- maxAgeSeconds: 3600
origin: '*'
headers:
- Access-Control-Allow-Origin
- Content-Type
responseHeader:
- Access-Control-Allow-Origin
- Content-Type
exposeHeaders:
- Access-Control-Allow-Origin
security:
- firebase: []
securityDefinitions:
firebase:
authorizationUrl: ''
flow: implicit
type: oauth2
x-google-issuer: '...'
x-google-jwks_uri: '...'
x-google-audiences: '...'
x-google-cors:
- maxAgeSeconds: 3600
origin: '*'
headers:
- Access-Control-Allow-Origin
- Content-Type
responseHeader:
- Access-Control-Allow-Origin
- Content-Type
exposeHeaders:
- Access-Control-Allow-Origin