Skip to content

Commit

Permalink
fix(key-auth): retain order of query arguments when hiding the creden…
Browse files Browse the repository at this point in the history
…tials

Fixes #12758 reported by @battlebyte.

Signed-off-by: Aapo Talvensaari <aapo.talvensaari@gmail.com>
  • Loading branch information
bungle committed Sep 9, 2024
1 parent f6c1b49 commit 5bc5dd4
Show file tree
Hide file tree
Showing 3 changed files with 46 additions and 2 deletions.
3 changes: 3 additions & 0 deletions changelog/unreleased/kong/fix-key-auth-retain-query-order.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
message: "**key-auth**: Fixed to retain order of query arguments when hiding the credentials."
type: bugfix
scope: Plugin
3 changes: 1 addition & 2 deletions kong/plugins/key-auth/handler.lua
Original file line number Diff line number Diff line change
Expand Up @@ -143,8 +143,7 @@ local function do_authentication(conf)
key = v

if conf.hide_credentials then
query[name] = nil
kong.service.request.set_query(query)
kong.service.request.clear_query_arg(name)
kong.service.request.clear_header(name)

if conf.key_in_body then
Expand Down
42 changes: 42 additions & 0 deletions spec/03-plugins/09-key-auth/02-access_spec.lua
Original file line number Diff line number Diff line change
Expand Up @@ -712,6 +712,48 @@ for _, strategy in helpers.each_strategy() do
assert.matches("No API key found in request", json.message)
assert.equal('Key', res.headers["WWW-Authenticate"])
end)

it("does not remove apikey and preserves order of query parameters", function()
local res = assert(proxy_client:send {
method = "GET",
path = "/request?c=value1&b=value2&apikey=kong&a=value3",
headers = {
["Host"] = "key-auth1.test"
}
})
local body = assert.res_status(200, res)
local json = cjson.decode(body)

assert.equal("/request?c=value1&b=value2&apikey=kong&a=value3", json.vars.request_uri)
end)

it("removes apikey and preserves order of query parameters", function()
local res = assert(proxy_client:send{
method = "GET",
path = "/request?c=value1&b=value2&apikey=kong&a=value3",
headers = {
["Host"] = "key-auth2.test"
}
})
local body = assert.res_status(200, res)
local json = cjson.decode(body)

assert.equal("/request?c=value1&b=value2&a=value3", json.vars.request_uri)
end)

it("removes apikey in encoded query and preserves order of query parameters", function()
local res = assert(proxy_client:send {
method = "GET",
path = "/request?c=valu%651&b=value2&api%6B%65%79=kong&a=valu%653",
headers = {
["Host"] = "key-auth2.test"
}
})
local body = assert.res_status(200, res)
local json = cjson.decode(body)

assert.equal("/request?c=value1&b=value2&a=value3", json.vars.request_uri)
end)
end)

describe("config.anonymous", function()
Expand Down

0 comments on commit 5bc5dd4

Please sign in to comment.