(apisix) branch master updated: fix(request-id): generate nanoid with CSPRNG to avoid duplicate and malformed ids (#13508)

Wed, 10 Jun 2026 19:14:10 -0700 

This is an automated email from the ASF dual-hosted git repository.

nic-6443 pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/apisix.git


The following commit(s) were added to refs/heads/master by this push:
     new f27d6f900 fix(request-id): generate nanoid with CSPRNG to avoid 
duplicate and malformed ids (#13508)
f27d6f900 is described below

commit f27d6f90073b2092d208064216de508526d3db9b
Author: Nic <[email protected]>
AuthorDate: Thu Jun 11 10:13:54 2026 +0800

    fix(request-id): generate nanoid with CSPRNG to avoid duplicate and 
malformed ids (#13508)
---
 apisix-master-0.rockspec      |  1 -
 apisix/plugins/request-id.lua | 24 ++++++++++++++--
 t/plugin/request-id.t         | 66 +++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 88 insertions(+), 3 deletions(-)

diff --git a/apisix-master-0.rockspec b/apisix-master-0.rockspec
index fab5ae9b1..dc2051262 100644
--- a/apisix-master-0.rockspec
+++ b/apisix-master-0.rockspec
@@ -77,7 +77,6 @@ dependencies = {
     "opentelemetry-lua = 0.2-6",
     "net-url = 1.2-1",
     "xml2lua = 1.6-2",
-    "nanoid = 0.1-1",
     "lua-resty-mediador = 0.1.2-1",
     "lua-resty-ldap = 0.1.0-0",
     "lua-resty-t1k = 1.1.6-0",
diff --git a/apisix/plugins/request-id.lua b/apisix/plugins/request-id.lua
index 086ed9279..7036853e7 100644
--- a/apisix/plugins/request-id.lua
+++ b/apisix/plugins/request-id.lua
@@ -18,10 +18,14 @@
 local ngx = ngx
 local core = require("apisix.core")
 local uuid = require("resty.jit-uuid")
-local nanoid = require("nanoid")
+local resty_random = require("resty.random")
 local ksuid = require("resty.ksuid")
 local math_random = math.random
 local str_byte = string.byte
+local str_sub = string.sub
+local table_concat = table.concat
+local bit = require("bit")
+local band = bit.band
 local ffi = require "ffi"
 
 local plugin_name = "request-id"
@@ -70,6 +74,22 @@ function _M.check_schema(conf)
     return core.schema.check(schema, conf)
 end
 
+-- standard nanoid alphabet: 64 characters, so 6 bits of CSPRNG output map
+-- to one character without modulo bias
+local NANOID_ALPHABET = "-_0123456789abcdefghijklmnopqrstuvwxyz"
+                        .. "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
+local NANOID_SIZE = 21
+
+local function get_nanoid()
+    local bytes = resty_random.bytes(NANOID_SIZE)
+    local id = core.table.new(NANOID_SIZE, 0)
+    for i = 1, NANOID_SIZE do
+        local idx = band(str_byte(bytes, i), 63) + 1
+        id[i] = str_sub(NANOID_ALPHABET, idx, idx)
+    end
+    return table_concat(id)
+end
+
 -- generate range_id
 local function get_range_id(range_id)
     local res = ffi.new("unsigned char[?]", range_id.length)
@@ -87,7 +107,7 @@ local function get_request_id(conf)
         return core.utils.generate_uuid_v7()
     end
     if conf.algorithm == "nanoid" then
-        return nanoid.safe_simple()
+        return get_nanoid()
     end
 
     if conf.algorithm == "range_id" then
diff --git a/t/plugin/request-id.t b/t/plugin/request-id.t
index 4c8cc1e60..8a89404bc 100644
--- a/t/plugin/request-id.t
+++ b/t/plugin/request-id.t
@@ -1023,3 +1023,69 @@ ok
     }
 --- response_body
 ok
+
+
+
+=== TEST 28: nanoid ids are unique and well formed across sequential requests
+--- config
+    location /t {
+        content_by_lua_block {
+            local t = require("lib.test_admin").test
+            local http = require "resty.http"
+            local code, body = t('/apisix/admin/routes/1',
+                 ngx.HTTP_PUT,
+                 [[{
+                        "plugins": {
+                            "request-id": {
+                                "algorithm": "nanoid"
+                            }
+                        },
+                        "upstream": {
+                            "nodes": {
+                                "127.0.0.1:1982": 1
+                            },
+                            "type": "roundrobin"
+                        },
+                        "uri": "/opentracing"
+                }]]
+                )
+            if code >= 300 then
+                ngx.say("algorithm nanoid is error")
+                return
+            end
+            ngx.sleep(0.5)
+
+            local ids = {}
+            local uri = "http://127.0.0.1:"; .. ngx.var.server_port .. 
"/opentracing"
+            local httpc = http.new()
+            for i = 1, 200 do
+                local res, err = httpc:request_uri(uri)
+                if not res then
+                    ngx.say("request failed: ", err)
+                    return
+                end
+                local id = res.headers["X-Request-Id"]
+                if not id then
+                    ngx.say("missing X-Request-Id")
+                    return
+                end
+                if #id ~= 21 then
+                    ngx.say("unexpected id length: ", #id, " id: ", id)
+                    return
+                end
+                if not id:match("^[A-Za-z0-9_-]+$") then
+                    ngx.say("unexpected id charset: ", id)
+                    return
+                end
+                if ids[id] then
+                    ngx.say("ids not unique")
+                    return
+                end
+                ids[id] = true
+            end
+            ngx.say("true")
+        }
+    }
+--- timeout: 30
+--- response_body
+true

Reply via email to