nic-6443 commented on code in PR #13468:
URL: https://github.com/apache/apisix/pull/13468#discussion_r3371457868
##########
apisix/plugins/key-auth.lua:
##########
@@ -108,6 +108,21 @@ function _M.rewrite(conf, ctx)
core.response.set_header("WWW-Authenticate", "apikey realm=\"" ..
conf.realm .. "\"")
return 401, { message = err}
end
+ -- Strip credentials before falling back to the anonymous consumer when
+ -- hide_credentials is enabled. find_consumer() only strips on the
+ -- successful-auth path, so without this an invalid credential would be
+ -- forwarded upstream during anonymous fallback. A request may carry
the
+ -- credential in both the header and the query string, so clean up
both.
+ if conf.hide_credentials then
+ if core.request.header(ctx, conf.header) then
+ core.request.set_header(ctx, conf.header, nil)
+ end
+ local args = core.request.get_uri_args(ctx) or {}
+ if args[conf.query] then
+ args[conf.query] = nil
+ core.request.set_uri_args(ctx, args)
+ end
+ end
Review Comment:
This code is completely duplicated from that inside `find_consumer`. It can
be moved to the end of this function to handle both cases in one place.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]