ShaunMaher commented on issue #11608: URL: https://github.com/apache/apisix/issues/11608#issuecomment-2472409036
Hi. I have done some digging and maybe I have something to add. I'm very new to Lua and APISIX so, I might be way off track. The fact that `run_plugin(): key-auth exits with http status code 401` ends up in the logs, implies we are getting to this line of APISIX code: https://github.com/apache/apisix/blob/a91e79a7527288540d61bb94c2ea1179854de2de/apisix/plugin.lua#L1174 A few lines later, it `core.response.exit(code, body)`, which I think means that the client request should be closed (and maybe it is). It doesn't seem to stop lower priority plugins (body-transformer, plugin code I have written) from running though. I'm not sure if this is intentional (to let other plugins do stuff in the event of an auth failure) or a bug. Until someone that knows what they are doing can have a look at this, I have a dodgy workaround. * Create a new plugin * Give it a priority of 1081 (one higher than the default priority of the body-transformer plugin) * Give it a body_filter function with the following code: ``` function _M.body_filter(conf, ctx) if ngx.status == 401 then for i, plugin in ipairs(ctx.plugins) do if plugin.name and plugin.name == "body-transformer" then core.log.error(plugin_name .. ":body_filter(): ctx.plugin[" .. i .. "]: " .. core.json.encode(ctx.plugins[i], true) .. ".") core.log.error(plugin_name .. ":body_filter(): this is the body-transformer! Disabling functions.") plugin.rewrite = nil plugin.body_filter = nil end end end end ``` This uses the ctx variable to enumerate all plugins enabled for this request. It finds the `body-transformer` plugin and replaces it's `rewrite` and `body_filter` functions with `nil`, effectively preventing them from running. Complete plugin: ``` -- When using the key-auth and body-transformer plugins together, a failed -- authentication can result in the body-transformer plugin failing (unhandled -- error) and the client recieving an empty response. -- This plugin is a work around that, if authentication has failed, disables the -- rewrite and body_filter functions in the body-transformer plugin (just for -- the current request). If the functions are disabled, they can't fail. local plugin_name = "exit-on-auth-failure" local core = require("apisix.core") local ngx = ngx local schema = { type = "object", properties = { } } local _M = { version = 0.1, -- body-transformer priority: 1080. This plugin must have a higher priority priority = 1081, name = plugin_name, schema = schema, scope = "global", } function _M.body_filter(conf, ctx) if ngx.status == 401 then for i, plugin in ipairs(ctx.plugins) do if plugin.name and plugin.name == "body-transformer" then core.log.error(plugin_name .. ":body_filter(): ctx.plugin[" .. i .. "]: " .. core.json.encode(ctx.plugins[i], true) .. ".") core.log.error(plugin_name .. ":body_filter(): this is the body-transformer! Disabling functions.") plugin.rewrite = nil plugin.body_filter = nil end end end end return _M ``` Put the above in a file called `exit-on-auth-failure.lua` in the same location as the other APISIX plugins, add it to the list of plugins in apisix.yaml, add it to the list of plugins on any route that has key-auth and body-transformer enabled. Workaround done. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
