AlinsRan commented on code in PR #13529:
URL: https://github.com/apache/apisix/pull/13529#discussion_r3540531739


##########
apisix/consumer.lua:
##########
@@ -279,6 +280,113 @@ function _M.find_consumer(plugin_name, key, key_value)
 end
 
 
+-- The auth plugins below match the consumer by a unique key attribute, which 
is
+-- the attribute that find_consumer() is called with at runtime. Duplicating 
such
+-- keys across consumers/credentials makes the runtime matching ambiguous: the
+-- last loaded consumer silently wins.
+local plugin_unique_key_attrs = {
+    ["key-auth"]   = "key",
+    ["basic-auth"] = "username",
+    ["jwt-auth"]   = "key",
+    ["hmac-auth"]  = "key_id",

Review Comment:
   `ldap-auth` also matches consumers by a unique key but is missing here. It 
builds the same last-loaded-wins map via `consumers_kv(plugin_name, 
consumer_conf, "user_dn")` (ldap-auth.lua:157), and its `user_dn` is a required 
consumer_schema field, so two consumers with the same `user_dn` still slip 
through this check — the exact ambiguity this PR is closing. Worth adding 
`["ldap-auth"] = "user_dn"`.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to