chore(session) do not read body by default and only on certain HTTP m…

…ethods ### Summary On comment: #7418 (comment) @PidgeyBE mentioned that session plugin reads bodies by on every HTTP request that is not an GET request. Because it is quite common to use bodies to send large files, reading body makes features like route.request_buffering=off, not working. Thus, the default value for ´logout_post_arg` in session plugin was removed. The bodies are only read when this is configured. This might change behavior on scripts that create session plugin and which also think that logout by body argument works as before. On the other hand it is a way more common to read session than it is to log out session, thus it should be better value for future of us.
Kong · Feb 22, 2023 · 5d706a3 · 5d706a3
1 parent f24fbd8
commit 5d706a3
Show file tree

Hide file tree

Showing 3 changed files with 22 additions and 2 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -69,6 +69,15 @@
 
 ## Unreleased
 
+### Breaking Changes
+
+#### Plugins
+
+- **Session**: default value for `logout_post_arg` was removed. That means that you need to actively
+  configure it to be able to logout by HTTP POST argument. This was done because it lead in the most
+  cases to unnecessary reads of HTTP bodies, which caused other issues.
+  [#10333](https://github.com/Kong/kong/pull/10333)
+
 ### Dependencies
 
 - Bumped lua-resty-session from 4.0.2 to 4.0.3

diff --git a/kong/plugins/session/schema.lua b/kong/plugins/session/schema.lua
@@ -94,7 +94,7 @@ return {
           { request_headers = headers },
           { logout_methods = logout_methods },
           { logout_query_arg = {  type = "string",  default = "session_logout" } },
-          { logout_post_arg = { type = "string", default = "session_logout" } },
+          { logout_post_arg = { type = "string" } },
         },
         shorthand_fields = {
           -- TODO: deprecated forms, to be removed in Kong 4.0

diff --git a/kong/plugins/session/session.lua b/kong/plugins/session/session.lua
@@ -6,6 +6,17 @@ local kong = kong
 local ipairs = ipairs
 
 
+-- In theory bodies are allowed in most HTTP methods, but in
+-- practice it is reasonable to limit reading bodies only to
+-- below list of HTTP methods.
+local READ_BODY_METHODS = {
+  DELETE = true, -- this is a stretch, but lets allow it
+  PATCH = true,
+  POST = true,
+  PUT = true,
+}
+
+
 local _M = {}
 
 
@@ -103,7 +114,7 @@ function _M.logout(conf)
   end
 
   local logout_post_arg = conf.logout_post_arg
-  if logout_post_arg then
+  if logout_post_arg and READ_BODY_METHODS[request_method] then
     local post_args = kong.request.get_body()
     if post_args and post_args[logout_post_arg] then
       kong.log.debug("logout by post argument")