kayx23 commented on code in PR #12405: URL: https://github.com/apache/apisix/pull/12405#discussion_r2191503048
########## docs/en/latest/plugins/forward-auth.md: ########## @@ -166,6 +167,128 @@ HTTP/1.1 403 Forbidden Location: http://example.com/auth ``` +### Using data from POST body to make decision on Authorization service + +::: note +When the decision is to be made on the basis of POST body, then it is recommended to use `$post_arg.xyz` with `extra_headers` field and make the decision on Authorization service on basis of headers rather than using POST `request_method` to pass the entire request body to Authorization service. +::: + +Create a serverless function on the `/auth` route that checks for the presence of the `tenant_id` header. If present, the route responds with HTTP 200 and sets the `X-User-ID` header to a fixed value `i-am-an-user`. If `tenant_id` is missing, it returns HTTP 400 with an error message. + +```shell +curl -X PUT 'http://127.0.0.1:9180/apisix/admin/routes/auth' \ + -H "X-API-KEY: $admin_key" \ + -H 'Content-Type: application/json' \ + -d '{ + "uri": "/auth", + "plugins": { + "serverless-pre-function": { + "phase": "rewrite", + "functions": [ + "return function(conf, ctx) + local core = require(\"apisix.core\") + if core.request.header(ctx, \"tenant_id\") then + core.response.set_header(\"X-User-ID\", \"i-am-an-user\"); + core.response.exit(200); + else + core.response.exit(400, \"tenant_id is required\") + end + end" + ] + } + } +}' +``` + +Create a route that accepts POST requests and uses the `forward-auth` plugin to call the auth endpoint with the `tenant_id` from the request. The request is forwarded to the upstream service only if the auth check returns 200. + +```shell +curl -X PUT 'http://127.0.0.1:9180/apisix/admin/routes/1' \ + -H "X-API-KEY: $admin_key" \ + -d '{ + "uri": "/post", + "methods": ["POST"], + "plugins": { + "forward-auth": { + "uri": "http://127.0.0.1:9080/auth";, + "request_method": "GET", + "extra_headers": {"tenant_id": "$post_arg.tenant_id"} + } + }, + "upstream": { + "nodes": { + "httpbin.org:80": 1 + }, + "type": "roundrobin" + } +}' +``` + +Send a POST request with the `tenant_id` header: + +```shell +curl -i http://127.0.0.1:9080/post -X POST -d '{ + "tenant_id": 123 +}' +``` + +You should receive an `HTTP/1.1 200 OK` response similar to the following: + +```shell +HTTP/1.1 200 OK +Content-Type: application/json +Content-Length: 491 +Connection: keep-alive +Date: Mon, 07 Jul 2025 06:50:39 GMT +Access-Control-Allow-Origin: * +Access-Control-Allow-Credentials: true +Server: APISIX/3.13.0 +``` + +```json +{ + "args": {}, + "data": "", + "files": {}, + "form": { + "{\n \"tenant_id\": 123\n}": "" + }, + "headers": { + "Accept": "*/*", + "Content-Length": "23", + "Content-Type": "application/x-www-form-urlencoded", + "Host": "127.0.0.1", + "User-Agent": "curl/8.13.0", + "X-Amzn-Trace-Id": "Root=1-686b6e3f-2fdeff70183e71551f5c5729", + "X-Forwarded-Host": "127.0.0.1" + }, + "json": null, + "origin": "127.0.0.1, 106.215.83.33", + "url": "http://127.0.0.1/post"; +} +``` + +Send a POST request without the `tenant_id` header: + +```shell + curl -i http://127.0.0.1:9080/post -X POST -d '{ + "abc": 123 +}' +``` + +You should receive an HTTP/1.1 400 Bad Request response with the following message: Review Comment: ```suggestion You should receive an `HTTP/1.1 400 Bad Request` response with the following message: ``` -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@apisix.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
