Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

redirect endpoint returning a 302 redirect to AWS S3 - generating an auth problem

See original GitHub issue

I have a download endpoint in my API which is redirecting the user to a AWS S3 presigned URL

Here is the swagger file describing my endpoint:

openapi: 3.0.0
info:
  title: My API
  description: API
  version: 2.0

servers:
  - url: myapi.com
    description: API v2.0.
components:
  securitySchemes:
    Auth:
      type: apiKey
      in: header
      name: Authorization
security:
  - Auth: []
paths:
  /download/:
    get:
      summary: Download
      description: Download
      responses:
        '302':
          description: Redirects to a location for downloading
          content:
            application/gzip:
              schema:
                type: string
                format: binary

My problem is when the SwaggerUI (version 3.14.2) it trying the endpoint it does get the redirect order, but when it tries to go the redirect location it for some reason sends the “Authorization” header to that URL although it’s not on the same domain.

This problem is causing AWS S3 to omit the following error because it’s receiving both “Authorization” header and the “AWSAccessKeyId” get parameters.

<?xml version="1.0"?>
<Error>
  <Code>InvalidArgument</Code>
  <Message>Only one auth mechanism allowed; only the X-Amz-Algorithm query parameter, Signature query string parameter or the Authorization header should be specified</Message>
  <ArgumentName>Authorization</ArgumentName>
  <ArgumentValue>Token TTTTTTTTTTTTT</ArgumentValue>
  <RequestId>RRRRRRRRRRRRRR</RequestId>
  <HostId>HHHHHHHHHHHHHHHH</HostId>
</Error>

Any idea how to solve this issue?

Issue Analytics

State:
Created 5 years ago
Comments:16 (2 by maintainers)

Top GitHub Comments

4reactions

shockeycommented, Aug 28, 2018

@kobymeir @MaxHo1234, upon further inspection, this is a limitation within the browser. The request is being transparently followed, with no way to control the behavior from within a web application like Swagger UI. Postman gets around this with their Interceptor extension, which is not subject to the same constraints.

I’m going to keep this open: if there’s sufficient interest, we could consider building a similar extension that allows users to circumvent browser limitations.

1reaction

kobymeircommented, Aug 6, 2018

Hi @shockey

There is no reason to pass on the authorization headers as you have no idea where the redirect it going, thus potentially exposing the authorization token to a 3rd party that we might not want them to receive the token.

Hope that my answered helped 😃