Pass credentials in sub-requests #87
Conversation
devgs
force-pushed
the
feature/pass_subrq_creds
branch
from
416a4be
to
fccea87
Compare
|
Since this is a pretty significant behavior change, I think it would make sense to offer configuration options here. E.g. a switch to turn on header-passing and some way to control the whitelist. |
…requests, configurable
|
@evanmiller I've added a dedicated HTTP header filed that will communicate the whitelist, if necessary: |
|
@devgs Wouldn't it make more sense to have the whitelist in the configuration file rather than from the upstream response? E.g. |
|
@evanmiller It just seems that an upstream has more knowledge about the kinds of header fields that it requires in order to authorize file access. This can be tightly coupled to each specific request. From my experience, you can have a generic If you see a benefit in adding What do you say? |
|
OK, fine with me since you are the one using it :-). Any chance of test coverage on this one? |
So, you want me to add
Yeah, I think I can come up with something. |
|
Leave as is; we can explore a configuration option if there is demand later. Please ensure that the default behavior remains unchanged. |
|
Yes, I have replaced my original changes. Now, only the requested headers are passed and only if anything is requested. This means that by default (when Now I'm going to come up with some tests. |
|
Added test coverage. |
|
Let me know when you're happy with it and I'll merge it in. |
|
As happy as I can get :) Thanks! |
Recently we have tried to update mod_zip on our servers and have faced an obstacle. At some point, sub-request logic was changed in such a way that no header fields of the original request were supplied to the sub-requests. Specifically important for us were the ones that communicate some credentials. We, ourselves, use a combination of
Cookie,Authorizationand someX-*header fields. So these are the ones that I've 'whitelisted'.