shreemaan-abhishek opened a new pull request, #13468: URL: https://github.com/apache/apisix/pull/13468
### Description This PR contains two small hardening fixes in the auth plugins, each with tests. **1. `jwt-auth`: treat an empty `claims_to_verify` array as unset** `verify_claims()` falls back to the default claims (`exp`/`nbf`) when `claims_to_verify` is not configured. The guard used `if not claims then`, but an explicitly empty array (`"claims_to_verify": []`) is truthy in Lua, so it skipped the fallback and the validation loop iterated over nothing — meaning an expired token was accepted when `claims_to_verify` was set to `[]`. The schema allows an empty array (no `minItems`), so this configuration is reachable. The guard now treats an empty array the same as an unset value (`if not claims or #claims == 0 then`), restoring the default `exp`/`nbf` checks. Behaviour for tokens that legitimately omit `exp`/`nbf` is unchanged (they are validated only if present). **2. `key-auth`: strip credentials on anonymous-consumer fallback** When a request carried an invalid API key and key-auth fell back to the configured `anonymous_consumer`, the (invalid) credential was still forwarded upstream even with `hide_credentials` enabled: `find_consumer()` only strips credentials on the successful-auth path. The fix strips the credential before falling back to the anonymous consumer when `hide_credentials` is true. Since a request can carry the key in both the header and the query string, both are cleaned up. #### Which issue(s) this PR fixes: Fixes # ### Checklist - [x] I have explained the need for this PR and the problem it solves - [x] I have explained the changes or the new features added to this PR - [x] I have added tests corresponding to this change - [ ] I have updated the documentation to reflect this change - [x] I have verified that this change is backward compatible (If not, please discuss on the [APISIX mailing list](https://github.com/apache/apisix/tree/master#community) first) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
