zhangyuthink commented on issue #10282: URL: https://github.com/apache/apisix/issues/10282#issuecomment-1742641942
> @zhangyuthink So how about an additional `passwords` field. The schema will allow only one of `password` or `passwords`. If you configure `passwords`, then all the passwords will be checked until there is a match. Although I am not really sure of the performance hit if we don't cap the allowed number of passwords. So in your scenario, you can change the consumer to now accept `passwords` consisting of both old and new. Firstly, regarding performance issues. I have reviewed the code and conducted preliminary testing, and under normal circumstances, the performance should not be affected. The basic-auth plugin first parses the password from the request of client, and then verifies it with the password in the configuration. We can modify [basic-auth.lua](https://github.com/apache/apisix/blob/master/apisix/plugins/basic-auth.lua),add code to verify the second password around line 155. ```lua -- 4. check the password is correct if cur_consumer.auth_conf.password ~= password and cur_consumer.auth_conf.password2 ~= password then return 401, { message = "Invalid user authorization" } end ``` Only if the first password is incorrect will check the second password. We only need to ensure that the first password is a long-term password. Secondly, regarding what you said "change the consumer to now accept passwords consisting of both old and new.", I'm sorry, I didn't quite understand. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
