Skip to content

Commit 44fa710

Browse files
shreemaan-abhishekshreemaan-abhishek
authored
fix(forward-auth): clear configured upstream headers not present in auth response (#13183)
1 parent ddddeaf commit 44fa710

2 files changed

Lines changed: 111 additions & 4 deletions

File tree

apisix/plugins/forward-auth.lua

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -184,12 +184,12 @@ function _M.access(conf, ctx)
184184
return res.status, res.body
185185
end
186186

187-
-- append headers that need to be get from the auth response header
187+
-- set headers from the auth response, clearing any client-supplied values
188+
-- for configured headers not present in the auth response
188189
for _, header in ipairs(conf.upstream_headers) do
189190
local header_value = res.headers[header]
190-
if header_value then
191-
core.request.set_header(ctx, header, header_value)
192-
end
191+
-- if header_value is nil, the client header's value will be removed if it exists
192+
core.request.set_header(ctx, header, header_value)
193193
end
194194
end
195195

t/plugin/forward-auth3.t

Lines changed: 107 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,107 @@
1+
#
2+
# Licensed to the Apache Software Foundation (ASF) under one or more
3+
# contributor license agreements. See the NOTICE file distributed with
4+
# this work for additional information regarding copyright ownership.
5+
# The ASF licenses this file to You under the Apache License, Version 2.0
6+
# (the "License"); you may not use this file except in compliance with
7+
# the License. You may obtain a copy of the License at
8+
#
9+
# http://www.apache.org/licenses/LICENSE-2.0
10+
#
11+
# Unless required by applicable law or agreed to in writing, software
12+
# distributed under the License is distributed on an "AS IS" BASIS,
13+
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14+
# See the License for the specific language governing permissions and
15+
# limitations under the License.
16+
#
17+
use t::APISIX 'no_plan';
18+
19+
repeat_each(1);
20+
no_long_string();
21+
no_root_location();
22+
23+
add_block_preprocessor(sub {
24+
my ($block) = @_;
25+
26+
if (!defined $block->request) {
27+
$block->set_value("request", "GET /t");
28+
}
29+
});
30+
31+
run_tests();
32+
33+
__DATA__
34+
35+
=== TEST 1: setup routes
36+
--- config
37+
location /t {
38+
content_by_lua_block {
39+
local data = {
40+
{
41+
url = "/apisix/admin/upstreams/u1",
42+
data = [[{
43+
"nodes": {
44+
"127.0.0.1:1984": 1
45+
},
46+
"type": "roundrobin"
47+
}]],
48+
},
49+
{
50+
url = "/apisix/admin/routes/auth",
51+
data = {
52+
plugins = {
53+
["serverless-pre-function"] = {
54+
phase = "rewrite",
55+
functions = {
56+
[[return function(conf, ctx)
57+
local core = require("apisix.core")
58+
-- auth succeeds without setting X-User-ID
59+
core.response.exit(200)
60+
end]]
61+
}
62+
}
63+
},
64+
uri = "/auth"
65+
},
66+
},
67+
{
68+
url = "/apisix/admin/routes/1",
69+
data = [[{
70+
"plugins": {
71+
"forward-auth": {
72+
"uri": "http://127.0.0.1:1984/auth",
73+
"upstream_headers": ["X-User-ID"]
74+
},
75+
"serverless-post-function": {
76+
"phase": "access",
77+
"functions": [
78+
"return function(conf, ctx) local core = require(\"apisix.core\"); core.response.exit(200, core.request.headers(ctx)); end"
79+
]
80+
}
81+
},
82+
"upstream_id": "u1",
83+
"uri": "/hello"
84+
}]],
85+
}
86+
}
87+
88+
local t = require("lib.test_admin").test
89+
90+
for _, data in ipairs(data) do
91+
local code, body = t(data.url, ngx.HTTP_PUT, data.data)
92+
ngx.say(body)
93+
end
94+
}
95+
}
96+
--- response_body eval
97+
"passed\n" x 3
98+
99+
100+
101+
=== TEST 2: client-supplied upstream_headers are cleared when auth response omits them
102+
--- request
103+
GET /hello
104+
--- more_headers
105+
X-User-ID: injected-value
106+
--- response_body_unlike eval
107+
qr/x-user-id/

0 commit comments

Comments
 (0)