shreemaan-abhishek opened a new pull request, #13468:
URL: https://github.com/apache/apisix/pull/13468

   ### Description
   
   This PR contains two small hardening fixes in the auth plugins, each with 
tests.
   
   **1. `jwt-auth`: treat an empty `claims_to_verify` array as unset**
   
   `verify_claims()` falls back to the default claims (`exp`/`nbf`) when 
`claims_to_verify` is not configured. The guard used `if not claims then`, but 
an explicitly empty array (`"claims_to_verify": []`) is truthy in Lua, so it 
skipped the fallback and the validation loop iterated over nothing — meaning an 
expired token was accepted when `claims_to_verify` was set to `[]`. The schema 
allows an empty array (no `minItems`), so this configuration is reachable.
   
   The guard now treats an empty array the same as an unset value (`if not 
claims or #claims == 0 then`), restoring the default `exp`/`nbf` checks. 
Behaviour for tokens that legitimately omit `exp`/`nbf` is unchanged (they are 
validated only if present).
   
   **2. `key-auth`: strip credentials on anonymous-consumer fallback**
   
   When a request carried an invalid API key and key-auth fell back to the 
configured `anonymous_consumer`, the (invalid) credential was still forwarded 
upstream even with `hide_credentials` enabled: `find_consumer()` only strips 
credentials on the successful-auth path. The fix strips the credential before 
falling back to the anonymous consumer when `hide_credentials` is true. Since a 
request can carry the key in both the header and the query string, both are 
cleaned up.
   
   #### Which issue(s) this PR fixes:
   Fixes #
   
   ### Checklist
   
   - [x] I have explained the need for this PR and the problem it solves
   - [x] I have explained the changes or the new features added to this PR
   - [x] I have added tests corresponding to this change
   - [ ] I have updated the documentation to reflect this change
   - [x] I have verified that this change is backward compatible (If not, 
please discuss on the [APISIX mailing 
list](https://github.com/apache/apisix/tree/master#community) first)
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to