shreemaan-abhishek opened a new pull request, #13590: URL: https://github.com/apache/apisix/pull/13590
### Description The `attach-consumer-label` plugin sets configured headers (e.g. `X-Consumer-Role: $role`) from the authenticated consumer's labels so Upstream services can rely on the gateway-set value. It is meant to overwrite any value a client sent for those header names. Today that overwrite only happens when the consumer has a non-empty `labels` map. `before_proxy` returns early when `ctx.consumer` is absent or `ctx.consumer.labels` is `nil`, so for an authenticated consumer that has no labels at all, a client-supplied value of a configured header (e.g. an inbound `X-Consumer-Role`) is forwarded to the Upstream unchanged instead of being cleared. This change clears every configured header name at the very start of `before_proxy`, before the early returns, so the Upstream only ever sees the gateway-set value regardless of whether the consumer has labels. This matches the existing behavior of sibling plugins such as `forward-auth`, `opa`, and `openid-connect`, which unconditionally clear their managed headers. A unit-style test case (TEST 16) is added: it drives `before_proxy` for a consumer without labels and asserts the inbound header value is removed. It fails before this change and passes after. Docs are updated to state that a client-supplied value of a configured header is always removed first. #### Which issue(s) this PR fixes: Fixes # ### Checklist - [x] I have explained the need for this PR and the problem it solves - [x] I have explained the changes or the new features added to this PR - [x] I have added tests corresponding to this change - [x] I have updated the documentation to reflect this change - [x] I have verified that this change is backward compatible (If not, please discuss on the [APISIX mailing list](https://github.com/apache/apisix/tree/master#community) first) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
