shreemaan-abhishek opened a new pull request, #13610: URL: https://github.com/apache/apisix/pull/13610
### Description The `cas-auth` plugin protects routes and also captures the configured `cas_callback_uri` so it can handle the IdP's single-logout (SLO) `POST` callback. In `_M.access`, the SLO `POST` branch parses the SAML `SessionIndex`, optionally deletes the matching session, and then **falls through** the function. Because the branch has no terminating `return`, `_M.access` returns `nil`, which APISIX treats as "continue the phase chain", so the IdP's logout `POST` is proxied to the upstream unauthenticated. This patch ends the SLO branch with an explicit `return ngx.HTTP_OK` after the logout bookkeeping, so the callback `POST` is fully handled by the plugin and never reaches the upstream. ### Fixes - `apisix/plugins/cas-auth.lua`: terminate the SLO `POST` branch with `200`. - `t/plugin/cas-auth.t`: regression test sending a well-formed SLO `POST` to a route whose upstream is a closed port; it must return `200` from the plugin rather than a `502` from a fall-through proxy attempt. - `docs/en/latest/plugins/cas-auth.md`: document that SLO `POST` callbacks are handled by the plugin and not forwarded upstream. ### Checklist - [x] I have explained the need for this PR and the problem it solves - [x] I have explained the changes or the new features added to this PR - [x] I have added tests corresponding to this change - [x] I have updated the documentation to reflect this change - [x] I have verified that this change is backward compatible -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
