shreemaan-abhishek commented on code in PR #13331:
URL: https://github.com/apache/apisix/pull/13331#discussion_r3256279310
##########
apisix/plugins/cas-auth.lua:
##########
@@ -35,23 +38,54 @@ local schema = {
idp_uri = {type = "string"},
cas_callback_uri = {type = "string"},
logout_uri = {type = "string"},
+ cookie = {
+ type = "object",
+ properties = {
+ secret = {type = "string", minLength = 32},
+ secure = {type = "boolean", default = true},
+ samesite = {type = "string", enum = {"Lax", "None"}, default =
"Lax"},
+ },
+ required = {"secret"},
Review Comment:
It doesn't avoid the breaking change in practice 🤔. In multi-node deployment
scenario, the cookie would be set on the pre-redirect request but verified on
the IdP callback, which can land on a different node. If each node generates
its own secret, verification fails across nodes and on every reload, so CAS
login silently breaks instead of the config being loudly rejected.
Also how can we persist such autogenerated cookie?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
