nic-6443 opened a new pull request, #13500:
URL: https://github.com/apache/apisix/pull/13500
### Description
The `authz-casdoor` plugin created the post-login session with the
lua-resty-session 3.x option `cookie = {lifetime = expires_in}`. Since the bump
to lua-resty-session 4.x (`#12862`), 4.x no longer recognizes that nested
`cookie.lifetime` key and silently ignores it, so the session is no longer
bound to the Casdoor access token's lifetime — it falls back to the library's
default and outlives the token.
A flat `absolute_timeout = expires_in` on the write alone does not fix it:
`_M.access()` reopens the session with the default config (it has no per-token
timeout to apply), and 4.x session cookies carry no `Max-Age`, so neither the
server nor the browser enforces the per-token expiry.
This binds the session to the token's expiry explicitly: the absolute expiry
timestamp is stored in the session at login, and a reused session is rejected
once that time has passed, re-initiating authentication.
### Tests
`t/plugin/authz-casdoor.t` gains a mock branch returning a short
`expires_in` and an integration test that drives the full login flow, confirms
the fresh session is accepted, then confirms it is rejected (redirect to
Casdoor) once `expires_in` elapses. The test fails before this change (the
session is still accepted after expiry) and passes after.
### Checklist
- [x] I have explained the need for this PR and the problem it solves
- [x] I have explained the changes or the new features added to this PR
- [x] I have added tests corresponding to this change
- [x] I have updated the documentation to reflect this change
- [x] I have verified that this change is backward compatible
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
