Can anyone show me a snippet of code that demonstrates an endpoint that responds to GET requests, requires an Authorization header, uses Cognito as an authorizer, and allows CORS requests from exactly two domain names?

The documentation on these things seems to be out of date, possibly. When I leave Cognito authentication out, CORS works just fine for either all domains or exactly one. When I add a Cognito Authorizer, CORS headers are present on OPTIONS responses, but not any of the other HTTP verbs.

No combination of static endpoint configuration object, ApiResponse object--one or both together--seems to work as expected when both CORS and authentication are required.

Client-side:

fetch('/thing',{
  mode: 'cors',
  method: 'get',
  headers: {
    Authorization: jwt,
  },
})

Server-side, this configures AWS API Gateway to use the Cognito Authorizer, has CORS headers on OPTIONS responses, but not GET responses:

const ApiBuilder = require('claudia-api-builder');
const api = new ApiBuilder();
api.corsOrigin(allowedOrigin);
api.corsHeaders('Content-Type,Authorization,foo,bar');
api.registerAuthorizer(cognitoAuthorizerName, { providerARNs: [arn] });
api.get(                                                                        
  '/thing',
  (request) => { return { hello: 'there' }; },
  { cognitoAuthorizer: cognitoAuthorizerName }
);

This has CORS headers on GET and OPTIONS, but doesn't configure AWS API Gateway to use Authorizers:

const ApiBuilder = require('claudia-api-builder');
const api = new ApiBuilder();
api.corsOrigin(allowedOrigin);
api.corsHeaders('Content-Type,Authorization,foo,bar');
api.registerAuthorizer(cognitoAuthorizerName, { providerARNs: [arn] });
api.get(                                                                        
  '/thing',
  (request) => { return { hello: 'there' }; }
  // { cognitoAuthorizer: cognitoAuthorizerName }
);

You might have better luck asking here: https://gitter.im/claudiajs/claudia