Why is CloudFront not forwarding query strings when using route parameters? - aws-api-gateway

An HTTP API with two routes:
/route1
/route2/{param}
Using a CloudFront cache policy with myquery query string included:
when calling /route1?myquery=foo - the query string is available in the lambda payload,
when calling /route2/something?myquery=foo - the query string is missing from the payload.
When calling the API directly, without CloudFront, the query string is always in the payload.
Why is that?

Related

Correct REST API Response HTTP Status Code

I am creating a REST API which will run a simple database query and return some data, based on the payload.
If my SQL query returns no results then I am returning the plain text "No Records Found".
What HTTP response code would be appropriate for such an event. Is it 200 or 404.
If you are returning a JSON payload and your resource can be represented as a collection, then it makes sense to return 200 along with an empty array ([]) in the response payload.
If you are returning a single resource for a given identifier, and no resource can be found with the given identifier, then it makes sense to return 404.

Is it possible to get the name of the method executed in resolver at runtime AppSync?

I have an AppSync PIPELINE composed of an auth-service + business-service.
I have implemented RBAC in auth-service, so based on the operation and the role that the user has, it allows or dennies the execution of the bussiness-service.
I need to map the GraphQL Mutation or Query field (method called from the client) to the operation (for example if the user try to do the Mutation: addUser, this is the operation).
Is it possible to get the method executed by the client in the resolver at run time? (for example addUser, deletePost). In order to not have to implement a different auth-service for each of the Queries and Mutations?
Similar scenario, here's what I'm doing:
Before Mapping - Save identity/claims from Cognito etc. to the stash.
Function Request - Check stash, if unauthorized $util.error, else
store the operation name and operand details in the stash before
continuing.
Function Response - Perform any other filtering or ownership checks
on the response, $util.error/early return if unauthorized.
After Mapping - Final transformation of the response or passthrough.
Basically I felt that exposing deep knowledge about an Entity to a generic pipeline auth function was a bad idea, I was more comfortable with an entity's resolver function being aware of what is allowed/disallowed.

Is it possible to disallow unknown query parameters in an OpenAPI v3 spec?

In OpenAPI, you can specify additionalProperties: false as part of an object schema to indicate that extra, unknown properties in a request or response body will be considered a validation error.
Is there any way to do something similar when specifying query parameters for an API? I want to indicate that requests including other query parameters beyond those explicitly documented will be considered an error and trigger an HTTP 400 response.
I see that you can mark individual parameters as required: true, but I can't find any way to say, "These are the only parameters allowed." Does the OpenAPI 3 spec allow this? If so, how?

How to use additional save feature along with search feature HTTP API call

I have implemented an /GET HTTP endpoint to provide search feature. The user sends search terms in query parameters and receives JSON response containing all search results.
Now I have to add a new feature i.e. save search. It means the user sends same search parameters and can also send a boolean parameter say save=true. I have to save the search term in database in this case for future uses. However this parameter is not mandatory.
I am confused over the following points:
Modify same GET HTTP endpoint allowing additional save parameter in query parameters.
Modify same GET HTTP endpoint but passing save parameter in request body instead of query parameters as its backend state changing parameter.
Use separate endpoint for save the parameters using POST method.
What is the standard/acceptable way of doing this?
As far as I understood your question you try to store a search request and by storing it also retrieve the response in one go?
Usually GET is used to retrieve a resources' state though as this method is defined as safe it shouldn't be used if certain state is created for the invoked resource as persisting the search query would be. RFC 7231 further states that:
A payload within a GET request message has no defined semantics; sending a payload body on a GET request might cause some existing implementations to reject the request.
I therefore would refrain from option #1 or #2 as this might break interoperability by certain clients.
POST on the otherhand is defined in RFC 7231 as
The POST method requests that the target resource process the representation enclosed in the request according to the resource's own specific semantics.
It therefore should be used in every situation the other HTTP operations don't fit. The HTTP spec further defines that creating a new resource a 201 Created HTTP status code should be returned including a HTTP response header named Location containing the URI of the created resource. This URI can later be used to retrieve it's state (i.e. the performed search result).
From a client's perspective you are basically storing some query definition on the server and don't care where or how the server is actually persisting it. All you care is to retrieve a handle you can later on invoke. This doesn't prevent the server from returning the current search result within the response payload. And this is what I'd do exactly.
Proposed steps:
Send search request via POST
Store query definition
Generate the URI for the stored query
Perform the search according to the query
Return a response with a 201 Created status code and Location header pointing to the URI of the stored query and add the query result within the response payload
A client can later on use the returned URI to retrieve the current state of the resource, which the server can interpret as: execute the query stored for that URI and return the search result.
How the URI has to look like is not defined by the REST architecture. You might generate UUIDs or generate a hash value based on the query generate. The latter approach has the benefit that multiple identical queries wouldn't result in additional queries created but in the reusage of such. In such cases a redirect to the existing query resource should be performed to tell the client that his query already existed which also teaches the client the actual URI of the query resource as a side effect.

authenctication token in a queryString

Our current implementation of the REST API uses apiKey inside queryString for all type of request(PUT, POST, GET). I feel it's wrong but can't explain why(maybe the apiKey can be cashed somewhere between server and client). Something like:
POST /objects?apiKey=supersecret {name: 'some'}
So, is it a security problem? Please describe both HTTP and HTTPS connection case
HTTP
Your supersecret values can be seen and intercepted by thirdparties whenever you send it from the client to the server or vice versa irrespective of whether you use PUT,POST, etc. This is even true when you use cookies for storing those values instead of query string.
HTTPS:
When the data is in transit between your client and server it cannot be intercepted since its protected by https, even if it is in query string. But most people consider sending data in query string as bad, since many system logs the query strings. For eg most servers are configured to print the access logs with the path & query parameters. Also if its from a browser it can be stored in your browser history.