shreemaan-abhishek opened a new pull request, #13610:
URL: https://github.com/apache/apisix/pull/13610

   ### Description
   
   The `cas-auth` plugin protects routes and also captures the configured 
`cas_callback_uri` so it can handle the IdP's single-logout (SLO) `POST` 
callback.
   
   In `_M.access`, the SLO `POST` branch parses the SAML `SessionIndex`, 
optionally deletes the matching session, and then **falls through** the 
function. Because the branch has no terminating `return`, `_M.access` returns 
`nil`, which APISIX treats as "continue the phase chain", so the IdP's logout 
`POST` is proxied to the upstream unauthenticated.
   
   This patch ends the SLO branch with an explicit `return ngx.HTTP_OK` after 
the logout bookkeeping, so the callback `POST` is fully handled by the plugin 
and never reaches the upstream.
   
   ### Fixes
   
   - `apisix/plugins/cas-auth.lua`: terminate the SLO `POST` branch with `200`.
   - `t/plugin/cas-auth.t`: regression test sending a well-formed SLO `POST` to 
a route whose upstream is a closed port; it must return `200` from the plugin 
rather than a `502` from a fall-through proxy attempt.
   - `docs/en/latest/plugins/cas-auth.md`: document that SLO `POST` callbacks 
are handled by the plugin and not forwarded upstream.
   
   ### Checklist
   
   - [x] I have explained the need for this PR and the problem it solves
   - [x] I have explained the changes or the new features added to this PR
   - [x] I have added tests corresponding to this change
   - [x] I have updated the documentation to reflect this change
   - [x] I have verified that this change is backward compatible


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to