Welcome! Log In Create A New Profile

Advanced

auth request body mask/unmask proposal

Davood Falahati
May 18, 2023 06:08PM
# HG changeset patch
# User Davood Falahati <0x0davood@gmail.com>
# Date 1684446142 -7200
# Thu May 18 23:42:22 2023 +0200
# Node ID c073e545e1cdcc736f8869a012a78b2dd836eac9
# Parent 77d5c662f3d9d9b90425128109d3369c30ef5f07
Proposal: add the capacity to ngx_http_auth_request_module to return
external auth service response body.
Why do we need it? Error handling inside mobile/web clients are being
disrupted on receiving 401 from external auth service. For instance,
external auth service returns 401 response along with an important error
message that client should read.
Why do we need to change the patch? ngx_http_auth_request_module doesn't
send the external response body by design. This module intercepts the
external auth_request response body and doesn't send it to the client. It
lets the admin send a customized error-page, but it doesn't open and read
external auth's response body.

send external auth service body response to client if
auth_request_mask_body flag is off

diff -r 77d5c662f3d9 -r c073e545e1cd
src/http/modules/ngx_http_auth_request_module.c
--- a/src/http/modules/ngx_http_auth_request_module.c Tue Apr 18 06:28:46
2023 +0300
+++ b/src/http/modules/ngx_http_auth_request_module.c Thu May 18 23:42:22
2023 +0200
@@ -13,6 +13,7 @@
typedef struct {
ngx_str_t uri;
ngx_array_t *vars;
+ ngx_flag_t mask_auth_response_body;
} ngx_http_auth_request_conf_t;


@@ -63,6 +64,13 @@
0,
NULL },

+ { ngx_string("auth_request_mask_body"),
+ NGX_HTTP_LOC_CONF | NGX_CONF_TAKE1,
+ ngx_conf_set_flag_slot,
+ NGX_HTTP_LOC_CONF_OFFSET,
+ offsetof(ngx_http_auth_request_conf_t, mask_auth_response_body),
+ NULL },
+
ngx_null_command
};

@@ -106,6 +114,8 @@
ngx_http_post_subrequest_t *ps;
ngx_http_auth_request_ctx_t *ctx;
ngx_http_auth_request_conf_t *arcf;
+ ngx_buf_t *b;
+ ngx_chain_t out, *in;

arcf = ngx_http_get_module_loc_conf(r, ngx_http_auth_request_module);

@@ -140,7 +150,36 @@

if (ctx->status == NGX_HTTP_UNAUTHORIZED) {
sr = ctx->subrequest;
+ /*
+ * send external auth service response body to the client
+ */
+ if (!arcf->mask_auth_response_body) {

+ r->headers_out.content_type = sr->headers_out.content_type;
+
+ b = ngx_calloc_buf(r->pool);
+ if (b == NULL) {
+ return NGX_ERROR;
+ }
+
+ r->headers_out.status = ctx->status;
+
+ b->last_buf = 1;
+ b->last_in_chain = 1;
+ b->memory = 1;
+
+ out.buf = b;
+ out.next = NULL;
+
+ in = sr->out;
+ in->next = &out;
+
+ ngx_http_send_header(r);
+ return ngx_http_output_filter(r, in);
+ }
+
+ return ctx->status;
+ }
h = sr->headers_out.www_authenticate;

if (!h && sr->upstream) {
@@ -164,8 +203,7 @@
h = h->next;
}

- return ctx->status;
- }
+

if (ctx->status >= NGX_HTTP_OK
&& ctx->status < NGX_HTTP_SPECIAL_RESPONSE)
@@ -192,9 +230,10 @@
ps->handler = ngx_http_auth_request_done;
ps->data = ctx;

+
if (ngx_http_subrequest(r, &arcf->uri, NULL, &sr, ps,
- NGX_HTTP_SUBREQUEST_WAITED)
- != NGX_OK)
+ arcf->mask_auth_response_body ?
NGX_HTTP_SUBREQUEST_WAITED:
+ NGX_HTTP_SUBREQUEST_IN_MEMORY) != NGX_OK)
{
return NGX_ERROR;
}
@@ -209,8 +248,10 @@
return NGX_ERROR;
}

- sr->header_only = 1;
-
+ if (arcf->mask_auth_response_body)
+ {
+ sr->header_only = 1;
+ }
ctx->subrequest = sr;

ngx_http_set_ctx(r, ctx, ngx_http_auth_request_module);
@@ -322,6 +363,7 @@
*/

conf->vars = NGX_CONF_UNSET_PTR;
+ conf->mask_auth_response_body = NGX_CONF_UNSET;

return conf;
}
@@ -335,6 +377,7 @@

ngx_conf_merge_str_value(conf->uri, prev->uri, "");
ngx_conf_merge_ptr_value(conf->vars, prev->vars, NULL);
+ ngx_conf_merge_value(conf->mask_auth_response_body,
prev->mask_auth_response_body,1);

return NGX_CONF_OK;
}
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
https://mailman.nginx.org/mailman/listinfo/nginx-devel
Subject Author Views Posted

auth request body mask/unmask proposal

Davood Falahati 188 May 18, 2023 06:08PM



Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 133
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready