We are using the IAM auth link. The logs are filled with error: Refused to set unsafe header "host". The signature per se works (after all, the "overridden header" is the correct host to begin with, so there's nothing to override), but the mess in the logs causes some troubles with our error tracking.
If the current behavior is a bug, please provide the steps to reproduce and if possible a minimal demo of the problem.
No errors. Maybe we are using this incorrectly and I'm missing something.. I can't quite understand how this could work with Host being a forbidden header.^2
Do you want to request a feature or report a bug?
I think this is a bug. The only other reference I could find is here: https://github.com/awslabs/aws-mobile-appsync-sdk-js/issues/263#issuecomment-461280846
What is the current behavior?
We are using the IAM auth link. The logs are filled with error:
Refused to set unsafe header "host"
. The signature per se works (after all, the "overridden header" is the correct host to begin with, so there's nothing to override), but the mess in the logs causes some troubles with our error tracking.If the current behavior is a bug, please provide the steps to reproduce and if possible a minimal demo of the problem.
Our Apollo client is configured as follows:
The
url
is our custom domain on AppSync.^1What is the expected behavior?
No errors. Maybe we are using this incorrectly and I'm missing something.. I can't quite understand how this could work with
Host
being a forbidden header.^2I think the problem is coming from here: https://github.com/awslabs/aws-mobile-appsync-sdk-js/blob/8502a78a5826c39ffaa16881462438392b276cea/packages/aws-appsync-auth-link/src/signer/signer.ts#L235
Since the same
request
object is created to compute the IAM signature, and then replaced into the Apollo operation context: https://github.com/awslabs/aws-mobile-appsync-sdk-js/blob/82cb58ee5256a0689ec45576b2fae1b83a0bff03/packages/aws-appsync-auth-link/src/auth-link.ts#L103Which versions and which environment (browser, react-native, nodejs) / OS are affected by this issue? Did this work in previous versions?
We also use the Cognito auth link - that one does not present any issue.
The same error is there on Safari 17.2.1 and Chrome 120, both on macOS 14.2.1