Skip to content

Commit

Permalink
feat: support hide the authentication header in basic-auth with a con…
Browse files Browse the repository at this point in the history 
…fig (#6039)

Co-authored-by: xuwei <>
  • Loading branch information
@mangoGoForward
mangoGoForward authored Jan 14, 2022
1 parent 5428972 commit d7fda7e
Show file tree
Hide file tree
Showing 4 changed files with 129 additions and 3 deletions.
12 changes: 11 additions & 1 deletion apisix/plugins/basic-auth.lua
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,12 @@ local consumers_lrucache = core.lrucache.new({
local schema = {
type = "object",
title = "work with route or service object",
properties = {},
properties = {
hide_credentials = {
type = "boolean",
default = false,
}
},
}

local consumer_schema = {
Expand Down Expand Up @@ -172,6 +177,11 @@ function _M.rewrite(conf, ctx)
return 401, { message = "Password is error" }
end

-- 5. hide `Authorization` request header if `hide_credentials` is `true`
if conf.hide_credentials then
core.request.set_header(ctx, "Authorization", nil)
end

consumer.attach_consumer(ctx, cur_consumer, consumer_conf)

core.log.info("hit basic-auth access")
Expand Down
12 changes: 10 additions & 2 deletions docs/en/latest/plugins/basic-auth.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -39,11 +39,19 @@ For more information on Basic authentication, refer to [Wiki](https://en.wikiped

## Attributes

For consumer side:

| Name | Type | Requirement | Default | Valid | Description |
| -------- | ------ | ----------- | ------- | ----- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| username | string | required | | | Different `consumer` should have different value which is unique. When different `consumer` use a same `username`, a request matching exception would be raised. |
| password | string | required | | | the user's password |

For route side:

| Name | Type | Requirement | Default | Valid | Description |
| -------- | ------ | ----------- | ------- | ----- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| hide_credentials | boolean | optional | false | | Whether to pass the Authorization request headers to the upstream. |

## How To Enable

### 1. set a consumer and config the value of the `basic-auth` option
Expand Down Expand Up @@ -129,8 +137,8 @@ hello, world
## Disable Plugin

When you want to disable the `basic-auth` plugin, it is very simple,
you can delete the corresponding json configuration in the plugin configuration,
no need to restart the service, it will take effect immediately:
you can delete the corresponding json configuration in the plugin configuration,
no need to restart the service, it will take effect immediately:

```shell
$ curl http://127.0.0.1:9080/apisix/admin/routes/1 -X PUT -d '
Expand Down
8 changes: 8 additions & 0 deletions docs/zh/latest/plugins/basic-auth.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -39,11 +39,19 @@ title: basic-auth

## 属性

consumer 端配置:

| 名称 | 类型 | 必选项 | 默认值 | 有效值 | 描述 |
| -------- | ------ | ------ | ------ | ------ | ------------------------------------------------------------------------------------------------------------------ |
| username | string | 必须 | | | 不同的 `consumer` 对象应有不同的值,它应当是唯一的。不同 consumer 使用了相同的 `username` ,将会出现请求匹配异常。 |
| password | string | 必须 | | | 用户的密码 |

router 端配置:

| 名称 | 类型 | 必选项 | 默认值 | 有效值 | 描述 |
| -------- | ------ | ------ | ------ | ------ | ------------------------------------------------------------------------------------------------------------------ |
| hide_credentials | boolean | 可选 | false | | 是否将 Authorization 请求头传递给 upstream。 |

## 如何启用

### 1. 创建一个 consumer 对象,并设置插件 `basic-auth` 的值。
Expand Down
100 changes: 100 additions & 0 deletions t/plugin/basic-auth.t
View file
Original file line number Diff line number Diff line change
Expand Up @@ -395,3 +395,103 @@ GET /t
GET /t
--- no_error_log
[error]



=== TEST 15: enable basic auth plugin using admin api, set hide_credentials = true
--- config
location /t {
content_by_lua_block {
local t = require("lib.test_admin").test
local code, body = t('/apisix/admin/routes/1',
ngx.HTTP_PUT,
[[{
"plugins": {
"basic-auth": {
"hide_credentials": true
}
},
"upstream": {
"nodes": {
"127.0.0.1:1980": 1
},
"type": "roundrobin"
},
"uri": "/echo"
}]]
)

if code >= 300 then
ngx.status = code
end
ngx.say(body)
}
}
--- request
GET /t
--- response_body
passed
--- no_error_log
[error]



=== TEST 16: verify Authorization request header is hidden
--- request
GET /echo
--- more_headers
Authorization: Basic Zm9vOmJhcg==
--- response_headers
!Authorization
--- no_error_log
[error]



=== TEST 17: enable basic auth plugin using admin api, hide_credentials = false
--- config
location /t {
content_by_lua_block {
local t = require("lib.test_admin").test
local code, body = t('/apisix/admin/routes/1',
ngx.HTTP_PUT,
[[{
"plugins": {
"basic-auth": {
"hide_credentials": false
}
},
"upstream": {
"nodes": {
"127.0.0.1:1980": 1
},
"type": "roundrobin"
},
"uri": "/echo"
}]]
)

if code >= 300 then
ngx.status = code
end
ngx.say(body)
}
}
--- request
GET /t
--- response_body
passed
--- no_error_log
[error]



=== TEST 18: verify Authorization request header should not hidden
--- request
GET /echo
--- more_headers
Authorization: Basic Zm9vOmJhcg==
--- response_headers
Authorization: Basic Zm9vOmJhcg==
--- no_error_log
[error]

0 comments on commit d7fda7e

Please sign in to comment.