REST API Redirected Query Forwarding Headers

malkovro · November 22, 2021, 12:58pm

Context

I am using a REST API Resource to interact with my interface-less API backend and use Retool to build an administration section.

Situation

I want to let my Retool users download a file which is exposed behind a secured endpoint on my backend (through authorization header) which does a URL Redirection (HTTP 302) to a temporary public url.

HTTP Response of the REST API

curl -I https://my-backend-api.com/report -H 'Authorization: MyAuthorizationToken'

HTTP/1.1 302 Found
Server: Cowboy
Date: Mon, 22 Nov 2021 12:40:42 GMT
Referrer-Policy: strict-origin-when-cross-origin
Location: https://mybucket.s3.eu-west-1.amazonaws.com/myobject?aws_specific_auth_query_params ⬅️ *A temporary public URL*

Issues

I encounter two problems here. The Query that I am building on Retool is automatically following the redirect and is leaking the authorization header by forwarding it to the redirect url.

Expected Behaviour

The headers are not forwarded
I can choose whether I want the query to follow the redirect or not and pick up the location myself in the metadata.

Help Needed

Am I missing something that might explain Retool's Query implementation choice of forwarding the headers ?
Am I missing a way to achieve my goal of requesting to my backend the generation of a temporary URL using the configured REST API Resource and access the response before the redirect ?

malkovro · November 22, 2021, 3:03pm

As a reference curl itself had this issue a few years back and fixed their implementation to clear the authorization header when the second host (the one redirected to) is different than the original host (the one requested that returned the HTTP 30X).

Ref.:
https://curl.se/docs/CVE-2018-1000007.html

Tess · December 6, 2021, 2:25am

Hi @malkovro! Thanks for reaching out! Can we see a screenshot of the query where you have this implemented currently?

malkovro · February 21, 2022, 6:06pm

The Query is defined using a restapi resource, not many configuration options there to play with unfortunately:

We can see that Retool takes care of following the redirect and AWS is complaining about the authorization header that Retool bound to the request while it's not been instructed to...

Any ETA on when this security issue might be fixed ?

Tess · March 4, 2022, 1:19am

Hey @malkovro

We have a ticket on file for engineering to look into this bug. I don't have an ETA yet, but I'll reach out as soon as we're able to ship a fix!

davidajetter1 · March 12, 2022, 6:07pm

I'd like to upvote this issue. I have a similar use case where my backend API is returning a 302 redirect with a location header of a pre-signed S3 URL of a large JSON data payload that is previously calculated/cached. The Retool query is following the redirect but since it is including the REST API's bearer token, S3 returns an error of:

Only one auth mechanism allowed; only the X-Amz-Algorithm query parameter, Signature query string parameter or the Authorization header should be specified

suhl · February 17, 2023, 7:13pm

@Tess is there any chance that feature was considered for implementing? Another use case is when the first response returns an authorization cookie, but because retool by default follows the redirections this cookie is gone and not available by the time the whole request with redirects is complete. The switch to follow or not to follow the redirects would be sufficient enough. n8n has it implemented with a user selectable counter that let's the user choose how many redirects has to be followed. This feature would be very helpful also with the Custom Auth module in Retool.

Tess · February 17, 2023, 10:27pm

Hi @suhl Not yet But thank you for checking in! I'll share this feedback internally