This is an automated email from the ASF dual-hosted git repository.
shreemaan-abhishek pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/apisix.git
The following commit(s) were added to refs/heads/master by this push:
new 9962bee2b fix: reject consumer auth when secret reference fails to
resolve (#13667)
9962bee2b is described below
commit 9962bee2b598e7ab4ea77f631bc23f0474af86a7
Author: Shreemaan Abhishek <[email protected]>
AuthorDate: Wed Jul 8 19:33:53 2026 +0800
fix: reject consumer auth when secret reference fails to resolve (#13667)
---
apisix/consumer.lua | 15 ++++++++++++++-
t/plugin/key-auth.t | 43 +++++++++++++++++++++++++++++++++++++++++++
2 files changed, 57 insertions(+), 1 deletion(-)
diff --git a/apisix/consumer.lua b/apisix/consumer.lua
index cd60a0209..9e3c2495c 100644
--- a/apisix/consumer.lua
+++ b/apisix/consumer.lua
@@ -249,7 +249,20 @@ function create_consume_cache(consumers_conf, key_attr)
for _, consumer in ipairs(consumers_conf.nodes) do
local new_consumer = consumer_lrucache(consumer, nil,
fill_consumer_secret, consumer)
- consumer_names[new_consumer.auth_conf[key_attr]] = new_consumer
+ local key_value = new_consumer.auth_conf[key_attr]
+ -- fail closed: skip if the credential is unset or an unresolved
secret ref,
+ -- else a client could auth with the literal $ENV://... reference
string
+ if key_value == nil then
+ core.log.error("missing consumer auth credential '", key_attr,
+ "', skipping consumer: ",
new_consumer.consumer_name)
+
+ elseif secret.has_secret_ref(new_consumer.auth_conf) then
+ core.log.error("failed to resolve secret reference in consumer
auth ",
+ "credential, skipping consumer: ",
new_consumer.consumer_name)
+
+ else
+ consumer_names[key_value] = new_consumer
+ end
end
return consumer_names
diff --git a/t/plugin/key-auth.t b/t/plugin/key-auth.t
index fa5b6e438..c88e6b9a3 100644
--- a/t/plugin/key-auth.t
+++ b/t/plugin/key-auth.t
@@ -737,3 +737,46 @@ passed
GET /hello?auth=authtwo
--- response_args
auth: authtwo
+
+
+
+=== TEST 33: consumer key uses an env ref that fails to resolve
+--- config
+ location /t {
+ content_by_lua_block {
+ local t = require("lib.test_admin").test
+ local code, body = t('/apisix/admin/consumers',
+ ngx.HTTP_PUT,
+ [[{
+ "username": "jack",
+ "plugins": {
+ "key-auth": {
+ "key": "$env://KEYAUTH_UNRESOLVED_SECRET"
+ }
+ }
+ }]]
+ )
+
+ if code >= 300 then
+ ngx.status = code
+ end
+ ngx.say(body)
+ }
+ }
+--- request
+GET /t
+--- response_body
+passed
+
+
+
+=== TEST 34: fail closed, literal ref is not accepted as a credential
+--- request
+GET /hello
+--- more_headers
+apikey: $env://KEYAUTH_UNRESOLVED_SECRET
+--- error_code: 401
+--- response_body
+{"message":"Invalid API key in request"}
+--- error_log
+invalid api key