Webtoken and cookie session value generated through typescript code is not valid

[bisingh-mdsol]

Describe the issue

Hi Team,

Please consider below code:

import { MWAAClient, CreateWebLoginTokenCommand } from '@aws-sdk/client-mwaa'
const mwaaClient = new MWAAClient({ region })
const loginTokenCommand = new CreateWebLoginTokenCommand({ Name: envName })
const response = await mwaaClient.send(loginTokenCommand)
const webServerHostName = response.WebServerHostname

const webToken = response.WebToken

In the above code, the web token we are getting is not valid for my application in typescript,
but when I am using the Python code, it works fine for my application.

Please advice.

Links

https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/mwaa/command/CreateWebLoginTokenCommand/

[zshzbh]

Hey @bisingh-mdsol ,

Thanks for the feedback! I can't reproduce this issue. This is the steps I have -

1. Create Amazon MWAA environment "MyAirflowEnvironment"
2. Create a new index.js file and put the code to it :

import { MWAAClient, CreateWebLoginTokenCommand } from '@aws-sdk/client-mwaa'
const mwaaClient = new MWAAClient({ region: "us-west-2" })
const loginTokenCommand = new CreateWebLoginTokenCommand({ Name: "MyAirflowEnvironment" })
const response = await mwaaClient.send(loginTokenCommand)
const webServerHostName = response.WebServerHostname
const webToken = response.WebToken
console.log(webServerHostName, webToken)

and run node index.js

I can successfully get the webServerHostName and webToken.

Since you mentioned the webToken is not valid, May I know if you use python code to retrieve the webToken from the same environment? Could you please make sure python project and TS project has the same aws credentials and configuration?

Thanks!
Maggie

[bisingh-mdsol]

Thank you @zshzbh for the quick response.

Yes, I am retrieving web token from the same environment and the same aws credentials in python, It is working as expected from the Python code, the same format I am getting in typescript. But the token is not valid.

Also, I created .sh file and ran the code, the token generated by .sh file is also working.

I am wondering if the typescript token is authorized or not from aws sdk. Or please suggest to me if any alternative solution for this one. I am using typescript code, so I wanted to make it through the same.

[zshzbh]

Hey @bisingh-mdsol ,

Thanks for the input. The AWS JS SDK and AWS Python SDK have the same service code, we auto generate the service code into different languages SDKs. So if the python code works well, the TS code should also work.

While we investigating the root cause and workarounds, could you please also share the python code you use to generate the web token as well as the error message you have for validation error?

Thanks!
Maggie

[bisingh-mdsol]

Hi @zshzbh ,

Here is the Python code for the same:

import boto3
import requests

mwaa = boto3.client('mwaa', region_name=region)
response = mwaa.create_web_login_token(Name=env_name)
web_server_host_name = response["WebServerHostname"]
web_token = response["WebToken"]

login_url = f"https://{web_server_host_name}/aws_mwaa/login"
login_payload = {"token": web_token}

response_for_session_token = requests.post(
        login_url,
        data=login_payload,
        timeout=1
    )

print(response_for_session_token.cookies["session"])

I am using this web token for aws_mwaa/login and from that I am getting a response with cookie session value which I will pass to Airflow api like get and post.

We are able to generate webtoken and cookie session value from the code- TS and python but session value is valid for python only.

Also here is the complete code for TS:

const mwaaClient = new MWAAClient({ region })
const loginTokenCommand = new CreateWebLoginTokenCommand({ Name: envName })
const response = await mwaaClient.send(loginTokenCommand)
const webServerHostName = response.WebServerHostname
const webToken = response.WebToken

const loginUrl = `https://${webServerHostName}/aws_mwaa/login`

const loginPayload = { token: webToken }

const headers = {
      'Content-Type': 'application/x-www-form-urlencoded',
      withCredentials: true,
    }
const loginResponse = await axios.post(loginUrl, loginPayload, { headers })

const setCookieHeader = loginResponse.headers['set-cookie']

Please let me know what I am missing in the TS code.

Once again thank you so much for looking into this issue. Hope we will have a solution.

[bisingh-mdsol]

@zshzbh Hey, I tried the .js code of yours and it is working fine for webtoken.

Could you please pass me .ts code for the same with all the parameters required for configs on MWAAClient like region and any credentials like aws keys and all? I tried to convert the code into typescript but it threw an error for missing credentials for signaturev4.

[zshzbh]

Hey @bisingh-mdsol,

Could you please share your ts code so that we can identify the root cause? I'd like to help you check where's the issue and fix the issue. : )

Thanks!
Maggie

[kneumei]

I'm having this same issue.

import { CreateWebLoginTokenCommand, MWAAClient } from "@aws-sdk/client-mwaa";
const client = new MWAAClient({ region: "us-east-1"});
var command = new CreateWebLoginTokenCommand({
    Name: "MyEnvironment"
});
const response = await client.send(command);
const { WebToken, WebServerHostname } = response;
const loginUrl = `https://${WebServerHostname}/aws_mwaa/login`;

const loginFetchResponse = await fetch(loginUrl, {
    method: "POST",
    headers: {
        'Content-Type': 'application/x-www-form-urlencoded'
    },
    body: `token=${WebToken}`
})

const cookies = loginFetchResponse.headers.get('set-cookie');
const sessionCookie = cookies.split(';').find(cookie => cookie.trim().startsWith('session='));
onst dagUrl = `https://${WebServerHostname}/api/v1/dags`;

const dagResult = await fetch(dagUrl, {
    method: "GET",
    headers: {
        "cookie": sessionCookie
    }
});

I've noticed the following things:

1. I can make the request to /api/v1/dags successfully with python (using code provided on the documentation page). What's interesting is that if I take the session cookie out of that call and paste it into my request to list the dags ( /api/v1/dags), my typescript/node code works. So I think the cookie I'm getting in the request to /aws_mwaa/login is wrong
2. I've noticed that when I make a call to /aws_mwaa/login using an http client (like postman, I get a 302, with Location header set to /