feat(key-auth) skip authenticating preflight OPTIONS requests #1535
Conversation
ecmendenhall
changed the title
| if ngx.req.get_method() == OPTIONS then | ||
| return | ||
| end | ||
|
|
There was a problem hiding this comment.
I'm not an expert on this, but this completely disables the key-auth for options requests. Shouldn't this at least be configurable?
There was a problem hiding this comment.
In principle, I don't think OPTIONS requests should be authenticated. In practice, upstream APIs probably handle OPTIONS differently, so maybe there's a case for making this configurable. I'd be interested in other opinions here, I'm not sure!
There was a problem hiding this comment.
I don't think there is ever a point in authenticating OPTIONS requests... Could be wrong, would love to see a use-case for it.
It would be worth adding a debug log when this plugin receives an OPTIONS request maybe?
There was a problem hiding this comment.
Considering this comment and linked question I'd prefer a defensive approach; make it an option and default to authenticating OPTIONS requests.
thibaultcha
added
the
pr/changes requested
|
Marked as incomplete for now until comments are addressed + configuration capability for this behavior, as discussed. |
thibaultcha
changed the title
ecmendenhall
force-pushed
the
fix/key-auth-cors-options-requests
branch
2 times, most recently
from
30d7542 to
0efc446
Compare
Preflight OPTIONS requests explicitly exclude user credentials and custom headers. The key-auth plugin should not attempt to authenticate OPTIONS requests, since browsers will strip Kong's apiKey header. Fix Kong#1292
ecmendenhall
force-pushed
the
fix/key-auth-cors-options-requests
branch
from
0efc446 to
6e13a15
Compare
new config variable authenticate_preflight to control whether or not to authenticate OPTIONS requests.
nicksamps
force-pushed
the
fix/key-auth-cors-options-requests
branch
from
a75ab8f to
7b75b71
Compare
|
Just a thought; instead of calling the option As in; or; |
|
@ecmendenhall if we can get this PR updated by today we can include it in 0.9.1 |
thibaultcha
added
pr/status/needs review
and removed
pr/changes requested
|
any updates? |
p0pr0ck5
added
pr/changes requested
|
@ecmendenhall can you please rebase your PR? There are a number of merge conflicts here. Thanks! |
|
Going to close this, as the PR is stale and cannot be merged currently. Thanks for the initial contribution and discussion! In the future, Kong's plugin architecture will likely be adjusted and expanded such that authentication plugins will already have this sort of logic built in, so that individual plugins do not need to worry about handling this logic. For now, one could workaround this by creating a separate API that forwards to the same upstream, handling only OPTIONS requests, that does not have this plugin enabled. Thank you again for the initial thought for the patch here! |
|
@p0pr0ck5 Hi Robert! Just want to say that upgrading to 0.10.x and setting up a separate API for OPTIONS requests worked perfectly for us. I think it's a much better solution anyways. Thanks for the suggestion! |
|
Awesome, thanks for the report! |
|
Hi guys, is setting up a seperate api still the way to go? Should the cors plugin be used instead? |
Summary
Preflight OPTIONS requests explicitly exclude user credentials and custom headers. The key-auth plugin should not attempt to authenticate OPTIONS requests, since browsers will strip Kong's
apiKeyheader.(Worked on this one with @nicksamps)
Full changelog
KeyAuthHandler:access, short-circuit auth if type is "OPTIONS."Issues resolved
Fix #1292