This is an automated email from the ASF dual-hosted git repository.
shreemaan-abhishek pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/apisix.git
The following commit(s) were added to refs/heads/master by this push:
new 03a43df48 fix(admin): require admin key for schema validate endpoint
(#13328)
03a43df48 is described below
commit 03a43df484189a88a9fc89f3f095c16c63c53e33
Author: Shreemaan Abhishek <[email protected]>
AuthorDate: Thu May 7 10:50:19 2026 +0800
fix(admin): require admin key for schema validate endpoint (#13328)
The /apisix/admin/schema/validate/* handler did not call
set_ctx_and_check_token() like every other Admin API handler, so the
endpoint accepted unauthenticated requests even when admin_key_required
was enabled.
Add the auth check at the top of schema_validate() and cover the three
auth states (no key, wrong key, correct key) in t/admin/token.t.
Reported by Kacper.
---
apisix/admin/init.lua | 2 ++
t/admin/token.t | 89 +++++++++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 91 insertions(+)
diff --git a/apisix/admin/init.lua b/apisix/admin/init.lua
index a040420f6..c3f543e62 100644
--- a/apisix/admin/init.lua
+++ b/apisix/admin/init.lua
@@ -384,6 +384,8 @@ end
local function schema_validate()
+ set_ctx_and_check_token()
+
local uri_segs = core.utils.split_uri(ngx.var.uri)
core.log.info("uri: ", core.json.delay_encode(uri_segs))
diff --git a/t/admin/token.t b/t/admin/token.t
index 1ab9942ae..230462452 100644
--- a/t/admin/token.t
+++ b/t/admin/token.t
@@ -177,3 +177,92 @@ PUT
/apisix/admin/plugins/reload?api_key=4054f7cf07e344346cd3f287985e76a2
--- request
GET /apisix/admin/routes??api_key=4054f7cf07e344346cd3f287985e76a2
--- error_code: 401
+
+
+
+=== TEST 10: schema validate without token
+--- config
+ location /t {
+ content_by_lua_block {
+ local t = require("lib.test_admin").req_self_with_http
+ local res, err = t('/apisix/admin/schema/validate/routes',
+ "POST",
+ [[{
+ "uri": "/httpbin/*",
+ "upstream": {
+ "scheme": "https",
+ "type": "roundrobin",
+ "nodes": {
+ "nghttp2.org": 1
+ }
+ }
+ }]]
+ )
+
+ ngx.status = res.status
+ ngx.print(res.body)
+ }
+ }
+--- request
+GET /t
+--- error_code: 401
+
+
+
+=== TEST 11: schema validate with wrong token
+--- config
+ location /t {
+ content_by_lua_block {
+ local t = require("lib.test_admin").req_self_with_http
+ local res, err = t('/apisix/admin/schema/validate/routes',
+ "POST",
+ [[{
+ "uri": "/httpbin/*",
+ "upstream": {
+ "scheme": "https",
+ "type": "roundrobin",
+ "nodes": {
+ "nghttp2.org": 1
+ }
+ }
+ }]],
+ {apikey = "wrong_key"}
+ )
+
+ ngx.status = res.status
+ ngx.print(res.body)
+ }
+ }
+--- request
+GET /t
+--- error_code: 401
+
+
+
+=== TEST 12: schema validate with correct token
+--- config
+ location /t {
+ content_by_lua_block {
+ local t = require("lib.test_admin").req_self_with_http
+ local res, err = t('/apisix/admin/schema/validate/routes',
+ "POST",
+ [[{
+ "uri": "/httpbin/*",
+ "upstream": {
+ "scheme": "https",
+ "type": "roundrobin",
+ "nodes": {
+ "nghttp2.org": 1
+ }
+ }
+ }]],
+ {x_api_key = "edd1c9f034335f136f87ad84b625c8f1"}
+ )
+
+ ngx.status = res.status
+ ngx.print(res.body)
+ }
+ }
+--- request
+GET /t
+--- error_code: 200
