This is an automated email from the ASF dual-hosted git repository.
nic-6443 pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/apisix.git
The following commit(s) were added to refs/heads/master by this push:
new 6d320c09f fix(cas-auth): return 400 instead of 500 for SLO POST with
empty body (#13471)
6d320c09f is described below
commit 6d320c09f0b22de58887b6fdb5365589d2a273a3
Author: Nic <[email protected]>
AuthorDate: Thu Jun 4 15:36:37 2026 +0800
fix(cas-auth): return 400 instead of 500 for SLO POST with empty body
(#13471)
---
apisix/plugins/cas-auth.lua | 2 +-
t/plugin/cas-auth.t | 81 +++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 82 insertions(+), 1 deletion(-)
diff --git a/apisix/plugins/cas-auth.lua b/apisix/plugins/cas-auth.lua
index 465054207..db7b7860e 100644
--- a/apisix/plugins/cas-auth.lua
+++ b/apisix/plugins/cas-auth.lua
@@ -381,7 +381,7 @@ function _M.access(conf, ctx)
if method == "POST" and uri == cas_callback_path then
local data = core.request.get_body()
- local ticket =
data:match("<samlp:SessionIndex>(.*)</samlp:SessionIndex>")
+ local ticket = data and
data:match("<samlp:SessionIndex>(.+)</samlp:SessionIndex>")
if ticket == nil then
return ngx.HTTP_BAD_REQUEST,
{message = "invalid logout request from IdP, no ticket"}
diff --git a/t/plugin/cas-auth.t b/t/plugin/cas-auth.t
index aec63ffd3..de895c463 100644
--- a/t/plugin/cas-auth.t
+++ b/t/plugin/cas-auth.t
@@ -797,3 +797,84 @@ passed
}
--- response_body
passed
+
+
+
+=== TEST 19: add route for empty-body SLO callback test
+--- config
+ location /t {
+ content_by_lua_block {
+ local t = require("lib.test_admin").test
+
+ local code, body = t('/apisix/admin/routes/cas-slo',
+ ngx.HTTP_PUT,
+ [[{
+ "methods": ["GET", "POST"],
+ "host": "127.0.0.20",
+ "priority": 10,
+ "plugins": {
+ "cas-auth": {
+ "idp_uri":
"http://127.0.0.1:8080/realms/test/protocol/cas";,
+ "cas_callback_uri": "/cas_callback",
+ "logout_uri": "/logout",
+ "cookie": {
+ "secret":
"0123456789abcdef0123456789abcdef",
+ "secure": false
+ }
+ }
+ },
+ "upstream": {
+ "nodes": {"127.0.0.1:1980": 1},
+ "type": "roundrobin"
+ },
+ "uri": "/*"
+ }]]
+ )
+
+ if code >= 300 then
+ ngx.status = code
+ end
+ ngx.say(body)
+ }
+ }
+--- response_body
+passed
+
+
+
+=== TEST 20: malformed SLO POST to callback returns 400, not 500
+--- config
+ location /t {
+ content_by_lua_block {
+ local http = require "resty.http"
+ local httpc = http.new()
+ local base = "http://127.0.0.1:"; .. ngx.var.server_port
+
+ -- (1) no body at all: get_body() returns nil, which must not be
+ -- indexed (500) but fall through to a clean 400.
+ local res, err = httpc:request_uri(base .. "/cas_callback", {
+ method = "POST",
+ headers = { ["Host"] = "127.0.0.20" },
+ })
+ assert(res, "request failed: " .. tostring(err))
+ assert(res.status == 400,
+ "expected 400 for empty-body SLO POST, got " .. res.status)
+ assert(res.body and res.body:find("no ticket", 1, true),
+ "expected 'no ticket' message, got: " .. tostring(res.body))
+
+ -- (2) body present but SessionIndex empty: still a malformed
+ -- logout, must be 400 rather than passing an empty ticket through.
+ res, err = httpc:request_uri(base .. "/cas_callback", {
+ method = "POST",
+ headers = { ["Host"] = "127.0.0.20" },
+ body = "<samlp:SessionIndex></samlp:SessionIndex>",
+ })
+ assert(res, "request failed: " .. tostring(err))
+ assert(res.status == 400,
+ "expected 400 for empty SessionIndex, got " .. res.status)
+
+ ngx.say("passed")
+ }
+ }
+--- response_body
+passed
