Re: [PR] feat(jwe-decrypt): remove server-side token generation endpoint [apisix]

Tue, 02 Jun 2026 19:55:59 -0700 


Copilot commented on code in PR #13464:
URL: https://github.com/apache/apisix/pull/13464#discussion_r3345640754


##########
docs/zh/latest/plugins/jwe-decrypt.md:
##########
@@ -219,22 +160,21 @@ kubectl apply -f jwe-encrypt-api-ic.yaml
 </TabItem>
 </Tabs>
 
-向加密端点发送请求,使用消费者密钥加密 payload 中的示例数据:
+要为消费者生成 JWE 令牌,可使用任意 AES-256-GCM 库离线加密 payload,加密密钥为消费者的 secret。令牌结构如下:

Review Comment:
   离线生成 JWE 令牌的说明建议补充 AES-GCM 的 IV 要求:同一密钥下复用 IV 会破坏安全性。当前示例 
IV(`"123456789012"`)容易让读者误以为可以固定使用。



##########
docs/en/latest/plugins/jwe-decrypt.md:
##########
@@ -219,22 +160,21 @@ kubectl apply -f jwe-encrypt-api-ic.yaml
 </TabItem>
 </Tabs>
 
-Send a request to the encryption endpoint with Consumer key to encrypt some 
sample data in the payload:
+To generate a JWE token for the Consumer, encrypt the payload offline with any 
AES-256-GCM library, using the Consumer secret as the key. The token structure 
is:

Review Comment:
   The new offline token-generation guidance should explicitly call out AES-GCM 
IV requirements. Reusing an IV with the same key breaks 
confidentiality/integrity, and the example IV (`"123456789012"`) could be 
misread as acceptable beyond an example.



##########
t/plugin/jwe-decrypt.t:
##########
@@ -407,8 +340,14 @@ Authorization: bearer 
invalid-eyJhbGciOiJkaXIiLCJraWQiOiJ1c2VyLWtleSIsImVuYyI6Ik
                 ngx.HTTP_DELETE)
             ngx.say("code: ", code < 300, " body: ", body)
 
-            code, body = 
t('/apisix/plugin/jwe/encrypt?key=chen-key&payload=hello',
-                ngx.HTTP_GET)
+            -- the remaining consumer can still be verified
+            local chen_token = 
"eyJhbGciOiJkaXIiLCJraWQiOiJjaGVuLWtleSIsImVuYyI6IkEyNTZHQ00ifQ"
+                .. "..MTIzNDU2Nzg5MDEy.ar0vE2I.AOndbhR7J1e2oM3N2c-KYQ"
+            code, body = t('/hello',
+                ngx.HTTP_GET,
+                nil,
+                nil,
+                { Authorization = chen_token })

Review Comment:
   This test adds a second consumer secret (`123...021`) but the `no_error_log` 
assertion only checks the first secret. To keep the "secrets must not appear in 
logs" coverage equivalent, include the second secret too.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to