shreemaan-abhishek opened a new pull request, #13404: URL: https://github.com/apache/apisix/pull/13404
### Description `jwe-decrypt`'s `jwe_decrypt_with_obj()` returned only the decrypted text, so the error from the AES-256-GCM decryption was always discarded. `rewrite()` therefore never reached the `failed to decrypt JWE token` branch, and a well-formed JWE whose ciphertext could not actually be decrypted was treated as a success and forwarded upstream. This PR propagates the decryption error and returns `400` when decryption does not produce a plaintext, so only tokens that genuinely decrypt are accepted. A test case was added to `t/plugin/jwe-decrypt.t` covering a well-formed token whose ciphertext fails to decrypt. This is backward compatible: tokens that decrypt successfully are unaffected; only tokens that never decrypted, which previously slipped through, are now correctly rejected. #### Which issue(s) this PR fixes: ### Checklist - [x] I have explained the need for this PR and the problem it solves - [x] I have explained the changes or the new features added to this PR - [x] I have added tests corresponding to this change - [ ] I have updated the documentation to reflect this change - [x] I have verified that this change is backward compatible (If not, please discuss on the [APISIX mailing list](https://github.com/apache/apisix/tree/master#community) first) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
