Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Refused to set unsafe header "host" with IAM auth link #763

Open
borgoat opened this issue Jan 22, 2024 · 0 comments
Open

Refused to set unsafe header "host" with IAM auth link #763

borgoat opened this issue Jan 22, 2024 · 0 comments

Comments

@borgoat
Copy link

borgoat commented Jan 22, 2024

Do you want to request a feature or report a bug?

I think this is a bug. The only other reference I could find is here: #263 (comment)

What is the current behavior?

We are using the IAM auth link. The logs are filled with error: Refused to set unsafe header "host". The signature per se works (after all, the "overridden header" is the correct host to begin with, so there's nothing to override), but the mess in the logs causes some troubles with our error tracking.

If the current behavior is a bug, please provide the steps to reproduce and if possible a minimal demo of the problem.

Our Apollo client is configured as follows:

  const region = 'eu-west-1';
  const url = 'https://gql.mvp-275214716993.yeekatee.com';

  const cognitoAuthLink = createAuthLink({
    url,
    region,
    auth: {
      type: AUTH_TYPE.AMAZON_COGNITO_USER_POOLS,
      jwtToken: async () =>
        (await Auth.currentSession()).getAccessToken().getJwtToken(),
    },
  });

  const iamAuthLink = createAuthLink({
    url,
    region,
    auth: {
      type: AUTH_TYPE.AWS_IAM,
      credentials: () => Auth.currentCredentials(),
    },
  });

  const httpLink = ngHttpLink.create({ uri: url });

  const isAuthenticated$ = () =>
    fromPromise(
      Auth.currentUserPoolUser()
        .then(() => true)
        .catch(() => false),
    );

  const splitAuthLink = new ApolloLink((operation, forward) =>
    isAuthenticated$().flatMap((isAuthenticated) =>
      (isAuthenticated ? cognitoAuthLink : iamAuthLink).request(
        operation,
        forward,
      ),
    ),
  );

  const link = ApolloLink.from([splitAuthLink, httpLink]);

The url is our custom domain on AppSync.1

What is the expected behavior?

No errors. Maybe we are using this incorrectly and I'm missing something.. I can't quite understand how this could work with Host being a forbidden header.2

I think the problem is coming from here:

aws-mobile-appsync-sdk-js/packages/aws-appsync-auth-link/src/signer/signer.ts

Line 235 in 8502a78

request.headers['host'] = url_info.host;

Since the same request object is created to compute the IAM signature, and then replaced into the Apollo operation context:

aws-mobile-appsync-sdk-js/packages/aws-appsync-auth-link/src/auth-link.ts

Line 103 in 82cb58e

...headers,

Which versions and which environment (browser, react-native, nodejs) / OS are affected by this issue? Did this work in previous versions?

We also use the Cognito auth link - that one does not present any issue.

dependencies:
@apollo/client 3.8.9
apollo-angular 6.0.0
└── @apollo/client 3.8.9 peer
aws-appsync-auth-link 3.0.7
└── @apollo/client 3.8.9 peer

The same error is there on Safari 17.2.1 and Chrome 120, both on macOS 14.2.1

Footnotes

  1. https://docs.aws.amazon.com/appsync/latest/devguide/custom-domain-name.html

  2. https://developer.mozilla.org/en-US/docs/Glossary/Forbidden_header_name

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@borgoat