Fix WaveClient sending Bearer token to public S3 URLs#6672
Conversation
When fetching container configs from external URLs (e.g., public S3 buckets), the WaveClient was sending the Tower/Platform Bearer token with the request. AWS S3 does not support Bearer authentication and returns a 400 error: "Unsupported Authorization Type". This fix adds a dedicated HTTP client (plainHttpClient) without Bearer token authentication for fetching external container configs, while the main client continues to use authentication for Wave/Tower API calls. Fixes #6671 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> Signed-off-by: Paolo Di Tommaso <paolo.ditommaso@gmail.com>
✅ Deploy Preview for nextflow-docs-staging canceled.
|
|
@jorgee Good question. After reviewing both codebases, here's what I found: The Bearer token IS used by Wave backend, but for a different purpose than fetching the container config URL. How the token flow works:
Why
|
| protected HxClient plainHttpClient() { | ||
| return HxClient.newBuilder() | ||
| .httpClient(newHttpClient0()) | ||
| .retryConfig(config.retryOpts()) |
There was a problem hiding this comment.
| .retryConfig(config.retryOpts()) | |
| .retryConfig(config.retryOpts()) | |
| .followRedirects(HttpClient.Redirect.NORMAL) |
There was a problem hiding this comment.
Quite sure this is the default
| final resp = plainHttpClient().sendAsString(req) | ||
| final code = resp.statusCode() | ||
| final body = resp.body() | ||
| if( code>=200 && code<400 ) { |
There was a problem hiding this comment.
| if( code>=200 && code<400 ) { | |
| if( code>=200 && code<300 ) { |
jorgee
left a comment
There was a problem hiding this comment.
I was testing the provided URL and it was answering with 301 it was considered a valid status code and then there was a failure because it was expecting a JSON but S3 respond with an XML
Caused by:
Expected BEGIN_OBJECT but was STRING at line 1 column 1 path $
See https://github.com/google/gson/blob/main/Troubleshooting.md#unexpected-json-structure
As it is not doing a Wave client request, I suggest to do the following changes:
1 - configure the plainHttpClient with followRedirection(NORMAL)
2 - manage redirection status code as error to avoid the JSON error problem.
Not sure for (1), but at least we should do (2)
|
The redirect is handled by the http client by default. Just tried my branch and it's ok |
|
Maybe I get confused, but HxClient is not HxClient a wrapper of HttpClient. In that libray, the default for followredirects is NEVER https://docs.oracle.com/en/java/javase/11/docs/api/java.net.http/java/net/http/HttpClient.html#followRedirects() But, either NORMAL is the default or not, if the redirect has been followed, we shouldn't receive 3XX. So I think 3XX should be considered an error. This is the reason why I was getting the JSON parsing error when trying with "fusion.containerConfigUrl = 'https://s3.eu-west-2.amazonaws.com/bucket/path/fusion-amd64.json' |
|
So why (integration) tests pass ? |
|
Ok, I see what is happening. The URL in the issue is fake. As it is a regional S3, the AWS is returning 301 to redirect to global endpoint. It is what produces the error in my case. With a correct URL, it is working. |
|
I assume this is ok in the correct form then |
|
Yes |
Summary
plainHttpClient()without authentication for external resource requestsChanges
plainHttpClient()factory method with@Memoizedannotation for lazy initializationfetchContainerConfig()to use the plain client instead of the authenticated clientFixes #6671
Test plan
🤖 Generated with Claude Code