shreemaan-abhishek opened a new pull request, #13427:
URL: https://github.com/apache/apisix/pull/13427
### Description
<!-- Please include a summary of the change and which issue is fixed. -->
<!-- Please also include relevant motivation and context. -->
The `cas-auth` plugin's `/cas_callback` handler previously wrote a session
and then attempted to read the HMAC-signed `CAS_REQUEST_URI` cookie to decide
where to redirect. If that cookie was missing or its signature did not verify,
the handler fell back to redirecting to `/`, but the session was still created.
This PR reorders `validate_with_cas` so that the HMAC verification of the
`CAS_REQUEST_URI` cookie runs first, and the session is only written if the
request carries a valid initiation cookie. A request that reaches the callback
without going through `first_access` now returns 401 with `{"message":"invalid
callback state"}` and writes no session cookie.
Behaviour change: operators or clients hitting the callback URI directly
(without first being redirected through `first_access`, which is what sets the
signed `CAS_REQUEST_URI` cookie) will now receive a 401 response instead of
being redirected to `/` with a freshly written session. Normal end-to-end CAS
flows are unaffected because `first_access` sets the initiation cookie before
redirecting to the IdP.
This builds on the HMAC cookie machinery (`sign_value` / `verify_value`,
`is_safe_redirect`, `cookie.secret` schema field, `SameSite=Lax`) introduced in
#13331. No new helpers, no schema changes, no documentation changes.
#### Which issue(s) this PR fixes:
<!--
*Automatically closes linked issue when PR is merged.
Usage: `Fixes #<issue number>`, or `Fixes (paste link of issue)`.
-->
Fixes #
### Checklist
- [x] I have explained the need for this PR and the problem it solves
- [x] I have explained the changes or the new features added to this PR
- [x] I have added tests corresponding to this change
- [ ] I have updated the documentation to reflect this change
- [ ] I have verified that this change is backward compatible (If not,
please discuss on the [APISIX mailing
list](https://github.com/apache/apisix/tree/master#community) first)
Notes:
- Tests: added regression cases TEST 14 (route setup), TEST 15 (callback
with no initiation cookie returns 401 and sets no `CAS_SESSION` cookie) and
TEST 16 (callback with an invalid `CAS_REQUEST_URI` cookie returns 401 and sets
no `CAS_SESSION` cookie) in `t/plugin/cas-auth.t`.
- Documentation: no documentation changes are needed; the configured
behaviour (initiation via `first_access`, then callback) is unchanged for
normal flows.
- Backward compatibility: any client that was relying on calling
`/cas_callback?ticket=...` directly, without going through `first_access`, will
now receive 401. This is the intended fix.
<!--
Note
1. Mark the PR as draft until it's ready to be reviewed.
2. Always add/update tests for any changes unless you have a good reason.
3. Always update the documentation to reflect the changes made in the PR.
4. Make a new commit to resolve conversations instead of `push -f`.
5. To resolve merge conflicts, merge master instead of rebasing.
6. Use "request review" to notify the reviewer after making changes.
7. Only a reviewer can mark a conversation as resolved.
-->
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
