REST API Redirected Query Forwarding Headers

malkovro · November 22, 2021, 12:58pm

Context

I am using a REST API Resource to interact with my interface-less API backend and use Retool to build an administration section.

Situation

I want to let my Retool users download a file which is exposed behind a secured endpoint on my backend (through authorization header) which does a URL Redirection (HTTP 302) to a temporary public url.

HTTP Response of the REST API

curl -I https://my-backend-api.com/report -H 'Authorization: MyAuthorizationToken'

HTTP/1.1 302 Found
Server: Cowboy
Date: Mon, 22 Nov 2021 12:40:42 GMT
Referrer-Policy: strict-origin-when-cross-origin
Location: https://mybucket.s3.eu-west-1.amazonaws.com/myobject?aws_specific_auth_query_params ⬅️ *A temporary public URL*

Issues

I encounter two problems here. The Query that I am building on Retool is automatically following the redirect and is leaking the authorization header by forwarding it to the redirect url.

Expected Behaviour

The headers are not forwarded
I can choose whether I want the query to follow the redirect or not and pick up the location myself in the metadata.

Help Needed

Am I missing something that might explain Retool's Query implementation choice of forwarding the headers ?
Am I missing a way to achieve my goal of requesting to my backend the generation of a temporary URL using the configured REST API Resource and access the response before the redirect ?

malkovro · November 22, 2021, 3:03pm

As a reference curl itself had this issue a few years back and fixed their implementation to clear the authorization header when the second host (the one redirected to) is different than the original host (the one requested that returned the HTTP 30X).

Ref.:
https://curl.se/docs/CVE-2018-1000007.html

Tess · December 6, 2021, 2:25am

Hi @malkovro! Thanks for reaching out! Can we see a screenshot of the query where you have this implemented currently?

malkovro · February 21, 2022, 6:06pm

The Query is defined using a restapi resource, not many configuration options there to play with unfortunately:

We can see that Retool takes care of following the redirect and AWS is complaining about the authorization header that Retool bound to the request while it's not been instructed to...

Any ETA on when this security issue might be fixed ?

Tess · March 4, 2022, 1:19am

Hey @malkovro

We have a ticket on file for engineering to look into this bug. I don't have an ETA yet, but I'll reach out as soon as we're able to ship a fix!

davidajetter1 · March 12, 2022, 6:07pm

I'd like to upvote this issue. I have a similar use case where my backend API is returning a 302 redirect with a location header of a pre-signed S3 URL of a large JSON data payload that is previously calculated/cached. The Retool query is following the redirect but since it is including the REST API's bearer token, S3 returns an error of:

Only one auth mechanism allowed; only the X-Amz-Algorithm query parameter, Signature query string parameter or the Authorization header should be specified

suhl · February 17, 2023, 7:13pm

@Tess is there any chance that feature was considered for implementing? Another use case is when the first response returns an authorization cookie, but because retool by default follows the redirections this cookie is gone and not available by the time the whole request with redirects is complete. The switch to follow or not to follow the redirects would be sufficient enough. n8n has it implemented with a user selectable counter that let's the user choose how many redirects has to be followed. This feature would be very helpful also with the Custom Auth module in Retool.

Tess · February 17, 2023, 10:27pm

Hi @suhl Not yet But thank you for checking in! I'll share this feedback internally

bvach-sofar · October 11, 2023, 9:13pm

Our service has the same pattern currently (Authorization Header -> s3 signed url 302 redirect -> retool follows the redirect with the original Header -> error)

Are there any suggested solutions for this? It would be nice to not introduce special behavior just for retool to consume this data.

Tess · October 12, 2023, 4:20pm

Hi @bvach-sofar I don't see any known workarounds on the Retool side You can't currently configure Retool to not automatically follow redirects or to remove authorization headers when redirected, but I'll add your +1 where we're tracking requests for this internally

bvach-sofar · October 12, 2023, 7:55pm

Thank you for the follow-up Tess.

Since we maintain the endpoint in question, we added an option for the server to respond with 200 and the signed url in the payload, rather than a 302. We then used the Retool Success handler to get the data in the signed url. In our case, it was images, and we could set the imageUrl on success. A bit kludgy, but sharing this idea in case others are in a similar situation.

Tess · October 13, 2023, 12:14am

Thanks so much for sharing!

Jose_Cifuentes · October 16, 2023, 8:42pm

Good day Tess! I think I'm having this same problem, I just posted this in the forum [link], would you kindly confirm the root of my issue is the same as posted here by various fellows? And that no solution is available as of now. Or is it completely different and I'm doing something wrong?

Appreciate your time!

Tess · November 10, 2023, 11:55pm

Hmm it does look like the same error that others have gotten when hitting this bug

What is the auth method you're using in Retool? What do you mean by run the same API call but with a different query? Is one get all and the other get a specific report? Do you know if those endpoints behave differently?