This is an automated email from the ASF dual-hosted git repository.
shreemaan-abhishek pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/apisix.git
The following commit(s) were added to refs/heads/master by this push:
new 5e5554f8d fix(forward-auth): re-frame buffered POST body for the auth
request (#13642)
5e5554f8d is described below
commit 5e5554f8dc47ebbde88f5398d29d2c5c4463189b
Author: Shreemaan Abhishek <[email protected]>
AuthorDate: Fri Jul 3 16:42:03 2026 +0800
fix(forward-auth): re-frame buffered POST body for the auth request (#13642)
---
apisix/plugins/forward-auth.lua | 6 +--
t/plugin/forward-auth.t | 86 +++++++++++++++++++++++++++++++++++++++++
2 files changed, 89 insertions(+), 3 deletions(-)
diff --git a/apisix/plugins/forward-auth.lua b/apisix/plugins/forward-auth.lua
index 3f2be5de4..d3e965d91 100644
--- a/apisix/plugins/forward-auth.lua
+++ b/apisix/plugins/forward-auth.lua
@@ -121,9 +121,9 @@ function _M.access(conf, ctx)
}
if conf.request_method == "POST" then
- auth_headers["Content-Length"] = core.request.header(ctx,
"content-length")
- auth_headers["Expect"] = core.request.header(ctx, "expect")
- auth_headers["Transfer-Encoding"] = core.request.header(ctx,
"transfer-encoding")
+ -- body is buffered and re-framed below, so only keep content-encoding.
+ -- forwarding client transfer-encoding/content-length/expect would not
+ -- match the buffered body.
auth_headers["Content-Encoding"] = core.request.header(ctx,
"content-encoding")
end
diff --git a/t/plugin/forward-auth.t b/t/plugin/forward-auth.t
index c07f7dc91..e82294dc4 100644
--- a/t/plugin/forward-auth.t
+++ b/t/plugin/forward-auth.t
@@ -595,3 +595,89 @@ POST /withinlimit
--- response_body_like eval
qr/i-am-an-user/
--- error_code: 200
+
+
+
+=== TEST 20: setup route that reflects the framing seen by the auth service
+--- config
+ location /t {
+ content_by_lua_block {
+ local data = {
+ {
+ url = "/apisix/admin/routes/auth-frame",
+ data = [[{
+ "plugins": {
+ "serverless-pre-function": {
+ "phase": "rewrite",
+ "functions": [
+ "return function (conf, ctx)
+ local core = require(\"apisix.core\");
+ local te = core.request.header(ctx,
\"transfer-encoding\") or \"none\";
+
core.response.set_header(\"X-Auth-Saw-Te\", te);
+ core.response.exit(200);
+ end"
+ ]
+ }
+ },
+ "uri": "/auth-frame"
+ }]],
+ },
+ {
+ url = "/apisix/admin/routes/pingframe",
+ data = [[{
+ "plugins": {
+ "forward-auth": {
+ "uri": "http://127.0.0.1:1984/auth-frame",
+ "request_method": "POST",
+ "upstream_headers": ["X-Auth-Saw-Te"]
+ },
+ "proxy-rewrite": {
+ "uri": "/echo"
+ }
+ },
+ "upstream_id": "u1",
+ "uri": "/pingframe"
+ }]],
+ },
+ }
+
+ local t = require("lib.test_admin").test
+ for _, data in ipairs(data) do
+ local code, body = t(data.url, ngx.HTTP_PUT, data.data)
+ ngx.say(body)
+ end
+ }
+ }
+--- request
+GET /t
+--- response_body eval
+"passed\n" x 2
+
+
+
+=== TEST 21: chunked POST is re-framed, auth service does not see chunked
+--- config
+ location /t {
+ content_by_lua_block {
+ local sock = ngx.socket.tcp()
+ sock:settimeout(2000)
+ local ok, err = sock:connect("127.0.0.1", 1984)
+ if not ok then
+ ngx.say("connect failed: ", err)
+ return
+ end
+ local req = "POST /pingframe HTTP/1.1\r\n"
+ .. "Host: 127.0.0.1\r\n"
+ .. "Transfer-Encoding: chunked\r\n"
+ .. "Connection: close\r\n\r\n"
+ .. "5\r\nhello\r\n0\r\n\r\n"
+ sock:send(req)
+ local resp = sock:receive("*a")
+ sock:close()
+ ngx.print(resp)
+ }
+ }
+--- request
+GET /t
+--- response_body_like eval
+qr/"x-auth-saw-te":"none"/