shreemaan-abhishek opened a new pull request, #13331: URL: https://github.com/apache/apisix/pull/13331
### Description This change updates the `cas-auth` plugin so that the `CAS_REQUEST_URI` cookie — which the plugin uses to remember where the user was headed before being bounced to the CAS IdP — is signed with HMAC-SHA256 and verified on the IdP callback using a constant-time comparison. After successful CAS ticket validation, the recovered redirect target is also validated as a same-origin path before being applied; if the cookie is missing, malformed, fails signature verification, or carries something that is not a relative path, the plugin falls back to `/` instead of using the cookie value verbatim. Cookie attributes are tightened: `Secure; SameSite=Lax` are added to the existing `Path=/; HttpOnly`. A new required `cookie_secret` field (minLength 32) is added to the plugin schema. The same value must be configured on every APISIX node in the deployment so that signed cookies issued by one node remain verifiable on another. The `t/lib/keycloak_cas.lua` test helper is updated so existing integration tests continue to pass. #### Which issue(s) this PR fixes: N/A ### Checklist - [x] I have explained the need for this PR and the problem it solves - [x] I have explained the changes or the new features added to this PR - [x] I have added tests corresponding to this change - [x] I have updated the documentation to reflect this change - [ ] I have verified that this change is backward compatible (If not, please discuss on the [APISIX mailing list](https://github.com/apache/apisix/tree/master#community) first) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
