Re: [PR] feat(jwt-auth): when algorithm is not `RS256` or `ES256`, require the user to fill in `secret` [apisix]

via GitHub Thu, 11 Sep 2025 20:20:29 -0700


nic-6443 commented on code in PR #12611:
URL: https://github.com/apache/apisix/pull/12611#discussion_r2342843574



##########
apisix/plugins/jwt-auth.lua:
##########
@@ -145,7 +143,8 @@ function _M.check_schema(conf, schema_type)
     end
 
     if conf.algorithm ~= "RS256" and conf.algorithm ~= "ES256" and not 
conf.secret then
-        conf.secret = ngx_encode_base64(resty_random.bytes(32, true))
+        err = "property \"secret\" is required when \"algorithm\" is not 
\"RS256\" or \"ES256\""

Review Comment:
   for this plugin, we already use json schema to define relationship between 
`algorithm` and `public_key` field, I think better use same way for `secret` 
too:
   
https://github.com/apache/apisix/blob/69564959d99e42ec2095eab2c35b3c73bc31b259/apisix/plugins/jwt-auth.lua#L95-L117



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Re: [PR] feat(jwt-auth): when algorithm is not `RS256` or `ES256`, require the user to fill in `secret` [apisix]

Reply via email to