shreemaan-abhishek opened a new pull request, #13667: URL: https://github.com/apache/apisix/pull/13667
### Description When a consumer authentication credential is configured with a secret reference (`$ENV://...` or `$secret://...`) and that reference fails to resolve (env var unset, or the secret object is missing), `secret.lua`'s `retrieve_refs` preserves the literal reference string (`refs[k] = fetch(v) or v`). `consumer.lua`'s `create_consume_cache` then indexes the consumer under that literal string, so a client that sends the literal reference string as its credential authenticates successfully (fail-open). Reproduced with `key-auth`: a consumer with `key-auth.key = "$env://MISSING"` (env unset) authenticates a request sending `apikey: $env://MISSING`. The same fail-open shape affects `basic-auth`, `hmac-auth`, and `jwt-auth` HS* secrets, since all route through `create_consume_cache`. ### Fix Fail closed in `create_consume_cache`: skip indexing a consumer whose auth credential is unset or still an unresolved secret reference (`secret.has_secret_ref(auth_conf)`). Using `has_secret_ref` over the whole `auth_conf` (not just the lookup key) also covers plugins whose secret is not the lookup field (e.g. `basic-auth` password, `jwt-auth` HS secret). Also removes a latent nil-index case. ### Test Added a `key-auth` regression case: a consumer whose key is an unresolved env ref, then a request sending the literal ref is rejected `401`. Verified it fails on the old code (returns `200`) and passes with the fix. ### Checklist - [x] I have explained the need for this PR and the problem it solves - [x] I have explained the changes or the new features added to this PR - [x] I have added tests corresponding to this change - [x] I have updated the documentation to reflect this change (no user-facing config/API change; behavior-only hardening) - [x] I have verified that this change is backward compatible -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
