Alnyli07 commented on PR #13165: URL: https://github.com/apache/apisix/pull/13165#issuecomment-4668140724
Thanks for the review again @Baoyuantop. All three points addressed: 1. Malformed proof / missing alg: Added header/payload structure validation that runs before signature verification and validate_proof, rejecting a missing/non-string alg (and malformed header/payload/jwk) with invalid_dpop_proof. The nil-concat and h.alg:sub() paths are now unreachable. Added negative tests for missing alg, non-string alg, and non-object header/payload (each expects 401, no error log). 2. **require_nonce**: Removed from schema and docs, since the nonce semantics aren't implemented (no longer a no-op option). 3. **strict_htu** default Kept false because strict_htu=true requires public_base_url, so defaulting to true would break existing routes. The path-only behavior and its weakening of RFC 9449 ยง4.3 URI binding is now documented explicitly, with tests for full-URL match (200), host/scheme mismatch (401), and path-only default (200). Happy to flip the default if you'd prefer secure-by-default. Ready for another look. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
