Feature/support token in query string #107
Conversation
Co-authored-by: Josh McCullough <JoshMcCullough@users.noreply.github.com>
Co-authored-by: Josh McCullough <JoshMcCullough@users.noreply.github.com>
Co-authored-by: Josh McCullough <JoshMcCullough@users.noreply.github.com>
|
I removed the ngx_pfree call from: int free_ok = ngx_pfree(r->pool, r->args.data);
if (free_ok == NGX_OK) {This call always failed, preventing the removal of the token from args for following processing steps. The reason for the fail of the free-call, is that the args are not separately allocated in memory, the pointer references to an offset from the It doesn't however seem to remove the token without the |
Thanks, can you elaborate on this part? |
Sure. Initially when I was testing, I was testing it with the nginx-config we are going to use in production. This involves injecting the api-key for the upstream request, so we have a following nginx.conf for that particular endpoint: With this config, the target api is called without the token, which we use for authentication against the proxy. However, if I remove the first row (don't append api-key), token remains in the query. Unfortunately I am not that well aware of the processing stages for a request inside nginx, but I am assuming the I can look into this, if this is seen as an issue. Possible approaches could be to locate whether it would be possible to set that same flag if the token is to be removed, or whether mutating the uri string in a similar fashion would prevent the token from appearing in the upstream request. I'll be offline until Monday 28.8, but will get back to this then. |
|
So I think what you're saying is that this approach will only work (e.g. the JWT will only be removed from the proxied URL) if you add So that is counter-intuitive, because this config will include the JWT? |
|
Exactly! I am unsure of the reason though, but would assume that mutating the args triggers a different process for building the upstream request. |
|
@JoshMcCullough, just pinging on the status, is this going to move forward or do you have further changes required? We have it currently running in production, but am of course curious if the feature will be implemented upstream as well. |
|
Yes, it will get merged but it'd be good to figure out the |
|
@santerioksanen IIRC there is code in this PR to remove the arg from |
JoshMcCullough
added
enhancement
waiting
JoshMcCullough
force-pushed
the
master
branch
6 times, most recently
from
a3a1f54 to
f827f54
Compare
JoshMcCullough
force-pushed
the
master
branch
25 times, most recently
from
8ad9428 to
a2e3e91
Compare
First of all, thanks for a great repository!
This PR adds the possibility to specify the JWT-token to be provided as a query string parameter:
jwt-tokenI've verified that the key is stripped from the outgoing request manually, but couldn't find a way to add this as an automatic test case in a reasonable amount of time.
Note that only after forking and creating the modifications, did I encounter a previous PR on the same topic:
#103
The same concerns regarding security of course applies, and I totally agree with that tokens should not be passed in the query string. However, I see use-cases where the trade-off concerning security would be justified. Nginx plus seems to have the same conclusion:
My use-case is to create a proxy for providing map-tiles for Leaflet from a 3rd-party tile-provider, who are behind authentication that is done by the proxy. In this case, I also want the clients to authenticate against the proxy. Providing the token in the query-string for the individual tiles greatly simplifies the application, as opposed to providing authentication-headers inside![]()
elements.
I also noticed possible bug in
as
sizeofis used for these, which returns the size of the pointer instead of the data?