Question: Possible to drop authentication header on redirects? #626
Comments
|
I don't know specifically about S3 url and auth mechanism. The error you mentioned seems to indicate you did not use any auth mechanism to connect, or too much mechanism. I think you could ask this kind of question on community.rstudio.com where there is a broad community ready to help and surely some experienced user with this. Know that there are some 📦 dedicated to work with AWS S3 like aws.s3 that is build upon httr. They may be of help for this kind of usage. Hope it helps. |
|
Auth header is included and valid on initial request, which is successful. Will head over to community, thanks! |
|
One other thought here—I'm confident the re-use of auth header on redirect is my issue, so my question is less troubleshooting and more "does this feature exist in the package". It's not obvious to me from the documentation, but maybe I'm missing something. Here is a screenshot for the toggle for this in Postman:
Maybe in the end this is more of a feature request. |
|
Can you give an example code of what you are using currently and don't work ? That way I can have a look if authorization header can be drop for redirect |
|
Sure, it's super simple: This goes where I need it to and correctly redirects me to a pre-signed URL that I can use to download the file I need. Just for a little context, this is a third-party API that stores their files on AWS, so I have no control over any of that. What I'm looking for is something like this: |
|
thanks for the example that clarifies the situation. What version of curl do you have on your system? May it be related ? Updating curl can help with this it seems - I don't know how to test this and which version For the second solution advised on the link above, you can catch the redirect then follow without providing the header. Here is a simple example you can surely improve. library(httr)
# Authorization header is indeed passed through
resp <- GET(
"https://httpbin.org/redirect-to",
query = list(
url="https://httpbin.org/headers"
),
authenticate("user", "pwd", type = "basic")
)
# look at content res = headers received
res <- content(resp)
"Authorization" %in% names(res$headers)
#> [1] TRUE
# You can catch the redirect yourself and do not provide header
resp <- GET(
"https://httpbin.org/redirect-to",
query = list(
url="https://httpbin.org/headers"
),
config(followlocation = FALSE),
authenticate("user", "pwd", type = "basic")
)
if ("location" %in% names(headers(resp))) {
redirected_url <- headers(resp)[["location"]]
resp <- GET(redirected_url)
}
res <- content(resp)
"Authorization" %in% names(res$headers)
#> [1] FALSECreated on 2019-11-10 by the reprex package (v0.3.0) From curl doc, it seems with newer version of curl Auth should not be passed on REDIRECT if hostname is different (which in my test is not). You can try yourself with your real example.
Hope it helps. |
|
Thanks @cderv that's very helpful! |
|
The error message indicates that multiple authentication mechanisms are being used simultaneously. Specifically, the error states that both the X-Amz-Algorithm query parameter (used for pre-signed URLs) and the Authorization header (which is likely being set somewhere in your code) are being included in the request. S3 only allows one authentication mechanism per request. |
I am attempting to make an authenticated GET request that retrieves a presigned URL to file sitting in Amazon S3. However, I am getting a 400 response with the following error:
"Only one auth mechanism allowed; only the X-Amz-Algorithm query parameter, Signature query string parameter or the Authorization header should be specified".
I can make the same request in Postman and successfully retrieve my file. Seems like I need to drop my authorization headers on the redirect that is happening. Is this possible with httr?
The text was updated successfully, but these errors were encountered: