This is an automated email from the ASF dual-hosted git repository.

shreemaan-abhishek pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/apisix.git


The following commit(s) were added to refs/heads/master by this push:
     new 9962bee2b fix: reject consumer auth when secret reference fails to 
resolve (#13667)
9962bee2b is described below

commit 9962bee2b598e7ab4ea77f631bc23f0474af86a7
Author: Shreemaan Abhishek <[email protected]>
AuthorDate: Wed Jul 8 19:33:53 2026 +0800

    fix: reject consumer auth when secret reference fails to resolve (#13667)
---
 apisix/consumer.lua | 15 ++++++++++++++-
 t/plugin/key-auth.t | 43 +++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 57 insertions(+), 1 deletion(-)

diff --git a/apisix/consumer.lua b/apisix/consumer.lua
index cd60a0209..9e3c2495c 100644
--- a/apisix/consumer.lua
+++ b/apisix/consumer.lua
@@ -249,7 +249,20 @@ function create_consume_cache(consumers_conf, key_attr)
     for _, consumer in ipairs(consumers_conf.nodes) do
         local new_consumer = consumer_lrucache(consumer, nil,
                                 fill_consumer_secret, consumer)
-        consumer_names[new_consumer.auth_conf[key_attr]] = new_consumer
+        local key_value = new_consumer.auth_conf[key_attr]
+        -- fail closed: skip if the credential is unset or an unresolved 
secret ref,
+        -- else a client could auth with the literal $ENV://... reference 
string
+        if key_value == nil then
+            core.log.error("missing consumer auth credential '", key_attr,
+                           "', skipping consumer: ", 
new_consumer.consumer_name)
+
+        elseif secret.has_secret_ref(new_consumer.auth_conf) then
+            core.log.error("failed to resolve secret reference in consumer 
auth ",
+                           "credential, skipping consumer: ", 
new_consumer.consumer_name)
+
+        else
+            consumer_names[key_value] = new_consumer
+        end
     end
 
     return consumer_names
diff --git a/t/plugin/key-auth.t b/t/plugin/key-auth.t
index fa5b6e438..c88e6b9a3 100644
--- a/t/plugin/key-auth.t
+++ b/t/plugin/key-auth.t
@@ -737,3 +737,46 @@ passed
 GET /hello?auth=authtwo
 --- response_args
 auth: authtwo
+
+
+
+=== TEST 33: consumer key uses an env ref that fails to resolve
+--- config
+    location /t {
+        content_by_lua_block {
+            local t = require("lib.test_admin").test
+            local code, body = t('/apisix/admin/consumers',
+                ngx.HTTP_PUT,
+                [[{
+                    "username": "jack",
+                    "plugins": {
+                        "key-auth": {
+                            "key": "$env://KEYAUTH_UNRESOLVED_SECRET"
+                        }
+                    }
+                }]]
+                )
+
+            if code >= 300 then
+                ngx.status = code
+            end
+            ngx.say(body)
+        }
+    }
+--- request
+GET /t
+--- response_body
+passed
+
+
+
+=== TEST 34: fail closed, literal ref is not accepted as a credential
+--- request
+GET /hello
+--- more_headers
+apikey: $env://KEYAUTH_UNRESOLVED_SECRET
+--- error_code: 401
+--- response_body
+{"message":"Invalid API key in request"}
+--- error_log
+invalid api key

Reply via email to