Skip to content

fix(forward-auth): re-frame buffered POST body for the auth request#13642

Open
shreemaan-abhishek wants to merge 1 commit into
apache:masterfrom
shreemaan-abhishek:forward-auth-buffered-body-framing
Open

fix(forward-auth): re-frame buffered POST body for the auth request#13642
shreemaan-abhishek wants to merge 1 commit into
apache:masterfrom
shreemaan-abhishek:forward-auth-buffered-body-framing

Conversation

@shreemaan-abhishek

Copy link
Copy Markdown
Contributor

Description

When forward-auth is configured with request_method: POST, the plugin buffers the client request body and re-sends it as a whole to the auth service. However it also copied the client's Transfer-Encoding, Content-Length and Expect headers verbatim into the auth request.

Once the body has been read it is de-chunked and buffered, so those framing headers no longer describe the bytes actually sent. In particular, a client using Transfer-Encoding: chunked caused the auth service to receive a Transfer-Encoding: chunked request whose body was not chunk-framed, leaving the auth request internally inconsistent.

These framing headers were originally added when the body was streamed to the auth service via a body reader (#10589). That streaming path was later reverted to a buffered body (#12404), but the header copy was left behind and no longer matches the buffered send.

This change keeps only Content-Encoding (which still applies to the buffered bytes, since nginx does not decode request content-encoding) and lets the HTTP client set a fresh, correct Content-Length for the buffered body. Transfer-Encoding, Content-Length and Expect are no longer forwarded from the client on the POST path.

Which issue(s) this PR fixes:

Fixes #

Checklist

  • I have explained the need for this PR and the problem it solves
  • I have explained the changes or the new features added to this PR
  • I have added tests corresponding to this change
  • I have updated the documentation to reflect this change
  • I have verified that this change is backward compatible (If not, please discuss on the APISIX mailing list first)

The POST path buffers the client body and re-sends it as a whole to the
auth service, but still forwarded the client Transfer-Encoding,
Content-Length and Expect headers. After the body is de-chunked and
buffered those framing headers no longer match, so the auth service can
receive a Transfer-Encoding: chunked request whose body is not
chunk-framed. Only keep Content-Encoding, which still applies to the
buffered bytes, and let the http client set a fresh Content-Length.
@dosubot dosubot Bot added size:M This PR changes 30-99 lines, ignoring generated files. bug Something isn't working labels Jul 1, 2026

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR fixes an inconsistency in the forward-auth plugin when request_method: POST is used with a buffered request body by stopping the plugin from copying client-side framing headers (Transfer-Encoding, Content-Length, Expect) into the auth subrequest, and adding a regression test to ensure chunked client POSTs are re-framed correctly for the auth request.

Changes:

  • Stop forwarding client Transfer-Encoding / Content-Length / Expect headers on the POST auth-request path; keep only Content-Encoding.
  • Add a test route that captures what framing headers the auth service actually receives.
  • Add a regression test that sends a chunked POST and asserts the auth service does not see Transfer-Encoding: chunked.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File Description
apisix/plugins/forward-auth.lua Removes forwarding of framing headers for buffered POST auth requests (keeps Content-Encoding).
t/plugin/forward-auth.t Adds regression coverage for chunked POST re-framing behavior seen by the auth endpoint.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread apisix/plugins/forward-auth.lua
Comment thread t/plugin/forward-auth.t
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

bug Something isn't working size:M This PR changes 30-99 lines, ignoring generated files.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants