nic-6443 commented on code in PR #13500:
URL: https://github.com/apache/apisix/pull/13500#discussion_r3386109558
##########
apisix/plugins/authz-casdoor.lua:
##########
@@ -162,20 +162,25 @@ function _M.access(conf, ctx)
end
local session_obj_write = session.new {
cookie_name = opts.cookie_name,
- cookie = {lifetime = lifetime}
}
session_obj_write:open()
session_obj_write:set("access_token", access_token)
session_obj_write:set("client_id", conf.client_id)
+ -- lua-resty-session 4.x no longer honors the old cookie.lifetime
option,
+ -- so bind the session to the access token's expiry explicitly and
enforce
+ -- it when the session is reused (see step 2 below).
+ session_obj_write:set("access_token_expires_at", ngx.time() + lifetime)
session_obj_write:save()
core.response.set_header("Location", original_url)
return 302
end
- -- step 2: check whether session exists
+ -- step 2: check whether a valid, unexpired session exists
+ local token_expires_at = session_obj:get("access_token_expires_at")
if not (session_present
and session_obj:get("access_token")
- and session_obj:get("client_id") == conf.client_id) then
+ and session_obj:get("client_id") == conf.client_id
+ and (not token_expires_at or token_expires_at > ngx.time())) then
Review Comment:
Good catch — fixed. `token_expires_at` is now read as `session_present and
session_obj:get(...)`, so the get only runs when a session is present and a
malformed/undecryptable cookie can no longer index a nil session. I also
hardened the callback path: `expires_in` is coerced via `tonumber` and rejected
if non-numeric or <= 0, so the new `ngx.time() + lifetime` arithmetic cannot
error.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
