starsz commented on code in PR #8206:
URL: https://github.com/apache/apisix/pull/8206#discussion_r1009044699
##########
apisix/plugins/jwt-auth.lua:
##########
@@ -357,8 +361,31 @@ local function algorithm_handler(consumer, method_only)
end
end
+local function set_our_cookie(name, val)
+ core.response.add_header("Set-Cookie", name .. "=" .. val)
+end
+
function _M.rewrite(conf, ctx)
+ local from_header = true
+ local header_key = core.request.header(ctx, conf.header)
+
+ local from_query = true
+
+ if not header_key then
+ from_header = false
+ local uri_args = core.request.get_uri_args(ctx) or {}
+ header_key = uri_args[conf.query]
+ if not header_key then
+ from_query = false
+ local cookie = ctx.var["cookie_" .. conf.cookie]
+ if not cookie then
+ core.log.info("failed to fetch JWT token")
+ return 401, {message = "Missing JWT token in request"}
+ end
+ end
+ end
Review Comment:
I think you can put this logic under the `fetch_jwt_token` function.
##########
apisix/plugins/jwt-auth.lua:
##########
@@ -407,6 +434,25 @@ function _M.rewrite(conf, ctx)
return 401, {message = "failed to verify jwt"}
end
+ -- check for hiding `Authorization` request header if `hide_credentials`
is `true`
+ if conf.hide_credentials then
+ -- hide sensitive field
+ if from_header then
+ -- hide for header
+ core.request.set_header(ctx, conf.header, nil)
+
+ elseif from_query then
+ -- hide for query
+ local args = core.request.get_uri_args(ctx)
+ args[conf.query] = nil
+ core.request.set_uri_args(ctx, args)
+
+ else
+ -- hide for cookie
+ set_our_cookie(conf.cookie, "deleted; Max-Age=0")
Review Comment:
I think it's not a good way to hide the cookie.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
