shreemaan-abhishek opened a new pull request, #13664:
URL: https://github.com/apache/apisix/pull/13664

   ### Description
   
   `forward-auth` makes a synchronous HTTP call to the external authorization 
service on **every** request, which dominates its per-request overhead. This 
adds an **opt-in** per-worker cache of authorization decisions so repeated 
calls from the same caller can be served without hitting the auth service.
   
   A new optional `cache` block:
   
   ```json
   "forward-auth": {
       "uri": "http://auth.internal/verify";,
       "request_headers": ["Authorization"],
       "cache": {
           "key_headers": ["Authorization"],
           "ttl": 30,
           "include_method": false,
           "include_uri": false
       }
   }
   ```
   
   When present, an allow/deny decision is stored in a per-worker 
`resty.lrucache` and replayed on subsequent matching requests.
   
   Because this is an authorization path, correctness is prioritized over speed:
   
   - **Never cache across identities.** The cache key is namespaced per plugin 
conf id + version (via `plugin_ctx_id`, so config edits invalidate it) and 
built from the operator-declared `key_headers` values, optionally the 
method/URI, and — for `POST` — an `md5` of the forwarded body. `key_headers` is 
required whenever caching is enabled, so there is no implicit "cache 
everything" default.
   - **Respects upstream cache-control.** `no-store` / `no-cache` / `private` 
skip caching; `max-age` caps the TTL (and `max-age=0` skips).
   - **Fails closed on transient errors.** Auth-service `5xx` responses are 
never cached.
   - **Faithful replay.** Both allow (upstream headers) and deny (status, body, 
client headers) outcomes are reproduced on a hit, identical to the uncached 
path.
   - Fully backward compatible: with no `cache` block the plugin behaves 
exactly as before.
   
   ### Which issue(s) this PR fixes
   
   N/A (enhancement).
   
   ### Checklist
   
   - [x] I have explained the need for this PR and the problem it solves
   - [x] I have explained the changes or the new features added to this PR
   - [x] I have added tests corresponding to this change
   - [x] I have updated the documentation to reflect this change
   - [x] I have verified that this change is backward compatible (if not, 
please discuss on the [APISIX mailing 
list](https://github.com/apache/apisix/tree/master#community) first)
   
   ### Tests
   
   New `t/plugin/forward-auth4.t` counts actual auth-service invocations via a 
shared dict and asserts:
   
   - schema requires `key_headers` and enforces `ttl` bounds
   - identical requests hit the cache (1 auth call for N requests)
   - a different identity is never served another's cached decision, and a 
cached deny stays a deny
   - caching disabled still calls the auth service every time
   - upstream `Cache-Control: no-store` is honored (not cached)
   - `include_uri` keys on the request URI
   - the `POST` body is part of the cache key
   
   Existing `forward-auth.t` / `forward-auth2.t` / `forward-auth3.t` still pass 
unchanged.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to