Copilot commented on code in PR #13464:
URL: https://github.com/apache/apisix/pull/13464#discussion_r3346067587
##########
t/plugin/jwe-decrypt.t:
##########
@@ -407,8 +340,14 @@ Authorization: bearer
invalid-eyJhbGciOiJkaXIiLCJraWQiOiJ1c2VyLWtleSIsImVuYyI6Ik
ngx.HTTP_DELETE)
ngx.say("code: ", code < 300, " body: ", body)
- code, body =
t('/apisix/plugin/jwe/encrypt?key=chen-key&payload=hello',
- ngx.HTTP_GET)
+ -- the remaining consumer can still be verified
+ local chen_token =
"eyJhbGciOiJkaXIiLCJraWQiOiJjaGVuLWtleSIsImVuYyI6IkEyNTZHQ00ifQ"
+ .. "..MTIzNDU2Nzg5MDEy.ar0vE2I.AOndbhR7J1e2oM3N2c-KYQ"
+ code, body = t('/hello',
+ ngx.HTTP_GET,
Review Comment:
The tests no longer assert that the legacy `/apisix/plugin/jwe/encrypt`
internal API is actually removed. Without a regression check, the endpoint
could be reintroduced (or still be exposed via `public-api`) without failing CI.
##########
docs/en/latest/plugins/jwe-decrypt.md:
##########
@@ -219,22 +160,23 @@ kubectl apply -f jwe-encrypt-api-ic.yaml
</TabItem>
</Tabs>
-Send a request to the encryption endpoint with Consumer key to encrypt some
sample data in the payload:
+To generate a JWE token for the Consumer, encrypt the payload offline with any
AES-256-GCM library, using the Consumer secret as the key. The token structure
is:
-```shell
-curl "http://127.0.0.1:9080/apisix/plugin/jwe/encrypt?key=jack-key"; \
- --data-urlencode 'payload={"uid":10000,"uname":"test"}' -G
+```text
+base64url(header).<empty>.base64url(iv).base64url(ciphertext).base64url(tag)
Review Comment:
The JWE compact serialization here uses `alg=dir`, so the second segment
(encrypted key) must be empty. Using `<empty>` in the structure string is easy
to misread as a literal value; showing the required double-dot (`..`) makes the
format unambiguous.
##########
docs/zh/latest/plugins/jwe-decrypt.md:
##########
@@ -219,22 +160,23 @@ kubectl apply -f jwe-encrypt-api-ic.yaml
</TabItem>
</Tabs>
-向加密端点发送请求,使用消费者密钥加密 payload 中的示例数据:
+要为消费者生成 JWE 令牌,可使用任意 AES-256-GCM 库离线加密 payload,加密密钥为消费者的 secret。令牌结构如下:
-```shell
-curl "http://127.0.0.1:9080/apisix/plugin/jwe/encrypt?key=jack-key"; \
- --data-urlencode 'payload={"uid":10000,"uname":"test"}' -G
+```text
+base64url(header).<empty>.base64url(iv).base64url(ciphertext).base64url(tag)
Review Comment:
这里的 JWE compact serialization 使用 `alg=dir`,因此第二段(encrypted key)必须为空。结构字符串里写
`<empty>` 容易被误解为需要字面量值;直接展示必须的 `..` 更清晰。
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
