fix(identity-vault): return nextPage tokens which are API Gateway friendly

bheesham · bheesham · commit d46ebd0ba567 · 2025-09-23T16:33:50.000-04:00
> The plain text pipe character (|) and the curly brace character ({ or }) are > not supported for any request URL query string and must be URL-encoded. via [Amazon API Gateway important notes][important-notes] Jira: IAM-1793 [important-notes]: https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-known-issues.html#api-gateway-known-issues-rest-apis
diff --git a/python-modules/cis_identity_vault/cis_identity_vault/models/user.py b/python-modules/cis_identity_vault/cis_identity_vault/models/user.py
@@ -12,6 +12,7 @@
 import json
 import logging
 import uuid
+import urllib.parse
 from boto3.dynamodb.conditions import Attr
 from boto3.dynamodb.conditions import Key
 from boto3.dynamodb.types import TypeDeserializer
@@ -348,11 +349,12 @@ def _last_evaluated_to_friendly(self, last_evaluated_keys):
             next_page.append(id)
         # If there are at all any segments left with work, then continue.
         if any(next_page):
-            return ",".join(next_page)
+            next_page_raw = ",".join(next_page)
+            return urllib.parse.quote(next_page_raw)
         else:
             return None
 
-    def _next_page_to_dynamodb(self, next_page):
+    def _next_page_to_dynamodb(self, next_page_raw):
         """
         Received from _clients_, and deserialized into something our parallel
         Dynamo code understands.
@@ -366,8 +368,9 @@ def _next_page_to_dynamodb(self, next_page):
         returns a `list[Optional[Any]]`, that means that we can still make
         progress on some segments.
         """
-        if not next_page:
+        if not next_page_raw:
             return None
+        next_page = urllib.parse.unquote(next_page_raw)
         exclusive_start_keys = []
         for last_evaluated_key in next_page.split(","):
             if last_evaluated_key == "":
diff --git a/python-modules/cis_profile_retrieval_service/cis_profile_retrieval_service/v2_api.py b/python-modules/cis_profile_retrieval_service/cis_profile_retrieval_service/v2_api.py
@@ -158,8 +158,6 @@ def get(self):
 
         logger.info("Attempting to get all users for connection method: {}".format(args.get("connectionMethod")))
         next_page = args.get("nextPage")
-        if next_page is not None:
-            next_page = urllib.parse.unquote(next_page)
 
         identity_vault = user.Profile(dynamodb_table, dynamodb_client, transactions=transactions)
 
