This is an automated email from the ASF dual-hosted git repository.

shreemaan-abhishek pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/apisix.git


The following commit(s) were added to refs/heads/master by this push:
     new 5e5554f8d fix(forward-auth): re-frame buffered POST body for the auth 
request (#13642)
5e5554f8d is described below

commit 5e5554f8dc47ebbde88f5398d29d2c5c4463189b
Author: Shreemaan Abhishek <[email protected]>
AuthorDate: Fri Jul 3 16:42:03 2026 +0800

    fix(forward-auth): re-frame buffered POST body for the auth request (#13642)
---
 apisix/plugins/forward-auth.lua |  6 +--
 t/plugin/forward-auth.t         | 86 +++++++++++++++++++++++++++++++++++++++++
 2 files changed, 89 insertions(+), 3 deletions(-)

diff --git a/apisix/plugins/forward-auth.lua b/apisix/plugins/forward-auth.lua
index 3f2be5de4..d3e965d91 100644
--- a/apisix/plugins/forward-auth.lua
+++ b/apisix/plugins/forward-auth.lua
@@ -121,9 +121,9 @@ function _M.access(conf, ctx)
     }
 
     if conf.request_method == "POST" then
-        auth_headers["Content-Length"] = core.request.header(ctx, 
"content-length")
-        auth_headers["Expect"] = core.request.header(ctx, "expect")
-        auth_headers["Transfer-Encoding"] = core.request.header(ctx, 
"transfer-encoding")
+        -- body is buffered and re-framed below, so only keep content-encoding.
+        -- forwarding client transfer-encoding/content-length/expect would not
+        -- match the buffered body.
         auth_headers["Content-Encoding"] = core.request.header(ctx, 
"content-encoding")
     end
 
diff --git a/t/plugin/forward-auth.t b/t/plugin/forward-auth.t
index c07f7dc91..e82294dc4 100644
--- a/t/plugin/forward-auth.t
+++ b/t/plugin/forward-auth.t
@@ -595,3 +595,89 @@ POST /withinlimit
 --- response_body_like eval
 qr/i-am-an-user/
 --- error_code: 200
+
+
+
+=== TEST 20: setup route that reflects the framing seen by the auth service
+--- config
+    location /t {
+        content_by_lua_block {
+            local data = {
+                {
+                    url = "/apisix/admin/routes/auth-frame",
+                    data = [[{
+                        "plugins": {
+                            "serverless-pre-function": {
+                                "phase": "rewrite",
+                                "functions": [
+                                    "return function (conf, ctx)
+                                        local core = require(\"apisix.core\");
+                                        local te = core.request.header(ctx, 
\"transfer-encoding\") or \"none\";
+                                        
core.response.set_header(\"X-Auth-Saw-Te\", te);
+                                        core.response.exit(200);
+                                    end"
+                                ]
+                            }
+                        },
+                        "uri": "/auth-frame"
+                    }]],
+                },
+                {
+                    url = "/apisix/admin/routes/pingframe",
+                    data = [[{
+                        "plugins": {
+                            "forward-auth": {
+                                "uri": "http://127.0.0.1:1984/auth-frame";,
+                                "request_method": "POST",
+                                "upstream_headers": ["X-Auth-Saw-Te"]
+                            },
+                            "proxy-rewrite": {
+                                "uri": "/echo"
+                            }
+                        },
+                        "upstream_id": "u1",
+                        "uri": "/pingframe"
+                    }]],
+                },
+            }
+
+            local t = require("lib.test_admin").test
+            for _, data in ipairs(data) do
+                local code, body = t(data.url, ngx.HTTP_PUT, data.data)
+                ngx.say(body)
+            end
+        }
+    }
+--- request
+GET /t
+--- response_body eval
+"passed\n" x 2
+
+
+
+=== TEST 21: chunked POST is re-framed, auth service does not see chunked
+--- config
+    location /t {
+        content_by_lua_block {
+            local sock = ngx.socket.tcp()
+            sock:settimeout(2000)
+            local ok, err = sock:connect("127.0.0.1", 1984)
+            if not ok then
+                ngx.say("connect failed: ", err)
+                return
+            end
+            local req = "POST /pingframe HTTP/1.1\r\n"
+                .. "Host: 127.0.0.1\r\n"
+                .. "Transfer-Encoding: chunked\r\n"
+                .. "Connection: close\r\n\r\n"
+                .. "5\r\nhello\r\n0\r\n\r\n"
+            sock:send(req)
+            local resp = sock:receive("*a")
+            sock:close()
+            ngx.print(resp)
+        }
+    }
+--- request
+GET /t
+--- response_body_like eval
+qr/"x-auth-saw-te":"none"/

Reply via email to