SessionTags is being used and
SessionLifetimeInMinutes is set to
600) to render url for frontend to embed. This is all working fine until I navigated away from the page embedding the dashboard and back where I got error “Embedding failed because of invalid URL or authorization code. Both of these must be valid and the authorization code must not be expired for embedding to work”.
So internally, I’m using GraphQL endpoint to generate the embed url for frontend, I think when I revisited the page GraphQl will use the cached url instead of sending the request again and this is where the issue occurred. I think this should work as the session/token is still valid? Is it possible that I don’t need to call GraphQL endpoint every time the page is visited until the session is expired?
Also, since url is exposed in frontend. Customer can potentially tamper the url since I have included some sensitive params in the url. How QuickSight is able to prevent this?
the URL generated by the API has 5 min validity as the temporary session token is contained. and once it is redeemed within the period, it can’t be reused again. when you navigated away from the embedded dashboard page and revisited, I am wondering if the user session is renewed… and then it tried to use the same URL generated earlier from the cache…?
hope this helps.
Thanks for the reply @Wakana
So you are saying once the url is used it can’t be reused to render the dashboard even within this 5 mins of session?
when you navigated away from the embedded dashboard page and revisited, I am wondering if the user session is renewed
By default, the call to
generate_embed_url_for_anonymous_user only executed when GraphQL doesn’t have the result cache, all the subsequent call will use the cached version util page is refreshed. This is when I get the error. I can fix the issue by making GraphQL to make the call every time page is visited but just wondering why this is the case where I get error when I use the same dashboard url seconds after it’s generated.
yes for security reason, the generated URL has validity and single use only, which prevents the URL from being passed to anyone who would be able to see the dashboard.
but once it is redeemed on the browser, as long as the session whose length you configured as 600s is valid, the embedded dashboard is available. I am guessing when you revisit the page, the page is reloaded (=the session is renewed)?
I’m using a lambda to generate the dashboard by calling
generate_embed_url_for_anonymous_user from boto3 quicksight client and client side will simply embed the url passed from the lambda. I prob will not use the JS sdk.
My concern is the dashboard url will be exposed to the client side and what kind of OOTB mechanism is in place to prevent user from tampering with the url from QuickSight end. I also have RLS enabled for the sensitive column.
Pointers to the issue are also appreciated.