kayx23 commented on code in PR #12405: URL: https://github.com/apache/apisix/pull/12405#discussion_r2191502434
########## docs/en/latest/plugins/forward-auth.md: ########## @@ -166,6 +167,122 @@ HTTP/1.1 403 Forbidden Location: http://example.com/auth ``` +### Using data from POST body to make decision on Authorization service + +::: note +When the decision is to be made on the basis of POST body, then it is recommended to use `$post_arg.xyz` with `extra_headers` field and make the decision on Authorization service on basis of headers rather than using POST `request_method` to pass the entire request body to Authorization service. +::: + +Setup Auth service to extract `tenant_id` from header. + +```shell +curl -X PUT 'http://127.0.0.1:9180/apisix/admin/routes/auth' \ + -H "X-API-KEY: $admin_key" \ + -H 'Content-Type: application/json' \ + -d '{ + "uri": "/auth", + "plugins": { + "serverless-pre-function": { + "phase": "rewrite", + "functions": [ + "return function(conf, ctx) + local core = require(\"apisix.core\") + if core.request.header(ctx, \"tenant_id\") then + core.response.set_header(\"X-User-ID\", \"i-am-an-user\"); + core.response.exit(200); + else + core.response.exit(400, \"tenant_id is required\") + end + end" + ] + } + } +}' +``` + +Setup route to extract `tenant_id` from body and pass in the header. + +```shell +curl -X PUT 'http://127.0.0.1:9180/apisix/admin/routes/1' \ + -H "X-API-KEY: $admin_key" \ + -d '{ + "uri": "/post", + "methods": ["POST"], + "plugins": { + "forward-auth": { + "uri": "http://127.0.0.1:9080/auth";, + "request_method": "GET", + "extra_headers": {"tenant_id": "$post_arg.tenant_id"} + } + }, + "upstream": { + "nodes": { + "httpbin.org:80": 1 + }, + "type": "roundrobin" + } +}' +``` + +Now if we send the request: + +```shell +curl -i http://127.0.0.1:9080/post -X POST -d '{ + "tenant_id": 123 +}' +``` + +```shell +HTTP/1.1 200 OK +Content-Type: application/json +Content-Length: 491 +Connection: keep-alive +Date: Mon, 07 Jul 2025 06:50:39 GMT +Access-Control-Allow-Origin: * +Access-Control-Allow-Credentials: true +Server: APISIX/3.13.0 Review Comment: Here I mean remove the response headers entirely... any use to keep them? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
