This is an automated email from the ASF dual-hosted git repository.
shreemaan-abhishek pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/apisix.git
The following commit(s) were added to refs/heads/master by this push:
new 89f854988 fix(cas-auth): stop SLO callback POST from being proxied
upstream (#13610)
89f854988 is described below
commit 89f8549886df2d0375426f5a001a95dff55cf6e0
Author: Shreemaan Abhishek <[email protected]>
AuthorDate: Mon Jun 29 11:00:49 2026 +0800
fix(cas-auth): stop SLO callback POST from being proxied upstream (#13610)
---
apisix/plugins/cas-auth.lua | 2 ++
docs/en/latest/plugins/cas-auth.md | 2 ++
t/plugin/cas-auth.t | 71 ++++++++++++++++++++++++++++++++++++++
3 files changed, 75 insertions(+)
diff --git a/apisix/plugins/cas-auth.lua b/apisix/plugins/cas-auth.lua
index db7b7860e..08dfc0d72 100644
--- a/apisix/plugins/cas-auth.lua
+++ b/apisix/plugins/cas-auth.lua
@@ -395,6 +395,8 @@ function _M.access(conf, ctx)
local _, user = unpack_entry(entry)
core.log.info("cas-auth: SLO session deleted for user=", user or
"<unknown>")
end
+ -- SLO callback ends here; never proxy the IdP's logout POST upstream
+ return ngx.HTTP_OK
else
local opts = session_opts(conf)
local session_id = get_cookie(ctx, opts.cookie_name)
diff --git a/docs/en/latest/plugins/cas-auth.md
b/docs/en/latest/plugins/cas-auth.md
index 0078e5eab..3d64e226c 100644
--- a/docs/en/latest/plugins/cas-auth.md
+++ b/docs/en/latest/plugins/cas-auth.md
@@ -98,6 +98,8 @@ Once this is done, the user is redirected to the original URL
they wanted to vis
Later, the user could visit `logout_uri` to start logout process. The user
would be redirected to `idp_uri` to do logout.
+The IdP may also send a single logout (SLO) `POST` request to
`cas_callback_uri`. The Plugin handles such requests itself (invalidating the
matching session) and never forwards them to the upstream.
+
Note that, `cas_callback_uri` and `logout_uri` should be
either full qualified address (e.g. `http://127.0.0.1:9080/anything/logout`),
or path only (e.g. `/anything/logout`), but it is recommended to be path only
to keep consistent.
diff --git a/t/plugin/cas-auth.t b/t/plugin/cas-auth.t
index de895c463..8e65f7da5 100644
--- a/t/plugin/cas-auth.t
+++ b/t/plugin/cas-auth.t
@@ -878,3 +878,74 @@ passed
}
--- response_body
passed
+
+
+
+=== TEST 21: add route whose upstream is a closed port for the SLO
fall-through test
+--- config
+ location /t {
+ content_by_lua_block {
+ local t = require("lib.test_admin").test
+
+ local code, body = t('/apisix/admin/routes/cas-slo-noproxy',
+ ngx.HTTP_PUT,
+ [[{
+ "methods": ["GET", "POST"],
+ "host": "127.0.0.21",
+ "priority": 10,
+ "plugins": {
+ "cas-auth": {
+ "idp_uri":
"http://127.0.0.1:8080/realms/test/protocol/cas",
+ "cas_callback_uri": "/cas_callback",
+ "logout_uri": "/logout",
+ "cookie": {
+ "secret":
"0123456789abcdef0123456789abcdef",
+ "secure": false
+ }
+ }
+ },
+ "upstream": {
+ "nodes": {"127.0.0.1:1": 1},
+ "type": "roundrobin"
+ },
+ "uri": "/*"
+ }]]
+ )
+
+ if code >= 300 then
+ ngx.status = code
+ end
+ ngx.say(body)
+ }
+ }
+--- response_body
+passed
+
+
+
+=== TEST 22: well-formed SLO POST stops at the plugin and is never proxied
upstream
+--- config
+ location /t {
+ content_by_lua_block {
+ local http = require "resty.http"
+ local httpc = http.new()
+ local base = "http://127.0.0.1:" .. ngx.var.server_port
+
+ -- A POST carrying a valid SessionIndex must be terminated by the
+ -- plugin (200), not fall through to the upstream. The upstream is
a
+ -- closed port, so any fall-through would surface as a 502.
+ local res, err = httpc:request_uri(base .. "/cas_callback", {
+ method = "POST",
+ headers = { ["Host"] = "127.0.0.21" },
+ body =
"<samlp:SessionIndex>ST-no-such-session</samlp:SessionIndex>",
+ })
+ assert(res, "request failed: " .. tostring(err))
+ assert(res.status == 200,
+ "expected 200 from plugin, got " .. res.status ..
+ " (non-200 means the SLO POST was proxied upstream)")
+
+ ngx.say("passed")
+ }
+ }
+--- response_body
+passed