fix: purge invalid credentials on 403

[williazz]

Summary

When signing is enabled, then RUM stores two credentials in local storage: (1) cognito identity pool under cwr_i (2) sigv4 credentials under cwr_c. However, these credentials are only updated if they become expired, not if the RUM user intends to set a new app monitor.

Without this change, the web client will never call PutRumEvents with 200 status if invalid credentials are stored in local storage. Resolves #583

Solution

If signing is enabled and we encounter a 403, then we will purge cwr_c and rebuild the dataplane client with the previously set credentials provider. If cognito is enabled, then we will also purge cwr_i.

Testing

1. Create appmonitor1 and appmonitor2 with cognito enabled
2. Onboard website to appmonitor1
3. Switch website to appmonitor2. This should now crash the web client and it will never recover.

But with this change, (3) will instead fail once for appmointor2, then retry successfully with the correct credentials.

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

[williazz]

Also resolves #699

[ps863]

question: Unique cookies configuration should help with the scenario wherein there are multiple app monitor setup for monitoring one web app. Would enabling that by default address the first problem? If yes, then I would assume this patch would be applicable to scenarios wherein app monitor is being swapped out?

[williazz]

question: Unique cookies configuration should help with the scenario wherein there are multiple app monitor setup for monitoring one web app. Would enabling that by default address the first problem? If yes, then I would assume this patch would be applicable to scenarios wherein app monitor is being swapped out?

Yeah this helps with

1. AppMonitor is changed
2. Cognito identity pool is changed
3. Multiple app monitors + unique cookies are enabled + cognito/appmonitor is switched

Does not help with
4. Multiple app monitors + unique cookies DISABLED

To address 4, we should enabled unique cookies by default. But I did notice we accidentally also made session cookies unique #560, which was probably a mistake. We should revert that if we want to enable unique cookies by default. I can make an issue for it.

[williazz]

Created issue #742

[ps863]

question: will this retrigger credential fetching?

[williazz]

Yep

 public setCognitoCredentials(
        identityPoolId: string,
        guestRoleArn?: string
    ) {
        if (identityPoolId && guestRoleArn) {
            this.setAwsCredentials(
                new BasicAuthentication(this.config, this.applicationId)
                    .ChainAnonymousCredentialsProvider
            );
        } else {
            this.setAwsCredentials(
                new EnhancedAuthentication(this.config, this.applicationId)
                    .ChainAnonymousCredentialsProvider
            );
        }
    }

[ps863]

question: Does this cause a risk of infinite cycle of purge and creation of new client if say the user actually just happens to have configuration issues on their IAM permissions?

[ps863]

ok i think this isn't an issue with the shouldPurge flag you added

[williazz]

yeah we only purge once, and let the normal retries/backoff do their thing