coder2z commented on issue #11738:
URL: https://github.com/apache/apisix/issues/11738#issuecomment-2908473083
> > Security Issue: Unauthenticated User with Forged
userid:安全问题:未经身份验证的用户,用户 ID 为伪造:
>
> Why doesn't the authentication service reject it in this
case?在这种情况下,为什么身份验证服务不拒绝它?
```
┌───────────┐ ┌───────────┐ ┌───────────┐ ┌───────────┐
│ Client │ │ APISIX │ │ auth-svr │ │ Business │
│(Not logged)│────►│ API Gateway│────►│ Auth Svc │────►│ Service A │
└───────────┘ └───────────┘ └───────────┘ └───────────┘
Request Hdrs: Forwarded Hdrs: Token Verification: Received Hdrs:
userid=123 userid=123 Failed userid=123 ❌
token=1111 token=1111 (Forged userid) token=1111
```
There is also a scenario where this token 1111 is an expired token for the
user, which was previously a valid token.
Due to h5/client caching, the old token is still used for the request, and
the requested interface is a whitelisted interface.
In this case, the auth svr will allow the request and will not return a 403
(because the interface is whitelisted, the user can access it without
re-logging in).should not be passed userid
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscr...@apisix.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
