-
Notifications
You must be signed in to change notification settings - Fork 273
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Subgraph level APQ should execute before AWS Sigv4 signing #3608
Comments
Hi Team, I currently used the new plugin for subgraph authentication and facing the sign calculation mismatch errors in the response. I also tried to disable the apq but its still failing. Could you please suggest if yaml needs to some other configuration to make it work ? |
what do you have in the subgraph configuration? APQ? Compression? Header manipulation? |
Below is the yaml snippet. I'm doing the header manipulation in supergraph service to add custom header but nothing in subgraph service. I checked the source code and the authentication plugin is called immediately when request hits subgraph service and later apq/compression code is invoked. even if apq is disabled, compression still happens which mutates the request body. Service also add few headers. I think this is causing the signature mismatch when request hits aws api gateway. I think I agree that the signing should happen just inside call_http function just before do_fetch() is invoked so that no mutation happens after signing apq: authentication: |
Hey, thanks for the reply! I'll see if i can provide a fix. |
Right now SigV4 signing happens as a subgraph service plugin, so before going through rhai, coprocessor and traffic shaping (dedup, timeout, retry, rate limit), and then into the subgraph service. Inside the subgraph service, there is the APQ implementation.
APQ removes the query from the body and replaces it with a hash, and if APQ is disabled by the subgraph, or not yet available in the subgraph's APQ cache, then a new request with the query is sent. Both queries will modify the body that was signed by SigV4, so signature verification will fail.
And after APQ, the body is compressed.
Here is the order that would make sense:
Here we're reaching a design issue: we are missing a service between the subgraph service and the actual HTTP call. By separating in 2 services, we would be able to do:
This would require splitting some parts of the traffic shaping plugin, but at this point I feel they would live better directly in the relevant service instead of all in a layer
The text was updated successfully, but these errors were encountered: