fix: reject consumer auth when secret reference fails to resolve#13667
Merged
shreemaan-abhishek merged 2 commits intoJul 8, 2026
Merged
Conversation
When a consumer auth credential uses a secret reference ($ENV:// or $secret://) that fails to resolve, the literal reference string was kept and indexed as a lookup credential, so a client could authenticate by sending that literal reference string. Fail closed in create_consume_cache: skip a consumer whose auth credential is unset or still an unresolved secret reference. Also removes a latent nil-index case.
…ntial Split the fail-closed guard so a missing credential and an unresolved secret reference log separate messages. Behavior is unchanged; keeps parity with the EE counterpart.
nic-6443
approved these changes
Jul 8, 2026
membphis
approved these changes
Jul 8, 2026
Member
|
This still needs CI confirmation before merge. The current checks show the GitHub does not expose the failed job logs yet while the workflow run is still in progress, so I cannot tell whether this is a flaky/infrastructure failure or a regression from the new test. Please inspect the logs once available, or rerun only after confirming it is unrelated. I would wait for this shard to be green, or for the failure cause to be clearly understood, before merging. |
AlinsRan
approved these changes
Jul 8, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
When a consumer authentication credential is configured with a secret reference (
$ENV://...or$secret://...) and that reference fails to resolve (env var unset, or the secret object is missing),secret.lua'sretrieve_refspreserves the literal reference string (refs[k] = fetch(v) or v).consumer.lua'screate_consume_cachethen indexes the consumer under that literal string, so a client that sends the literal reference string as its credential authenticates successfully (fail-open).Reproduced with
key-auth: a consumer withkey-auth.key = "$env://MISSING"(env unset) authenticates a request sendingapikey: $env://MISSING. The same fail-open shape affectsbasic-auth,hmac-auth, andjwt-authHS* secrets, since all route throughcreate_consume_cache.Fix
Fail closed in
create_consume_cache: skip indexing a consumer whose auth credential is unset or still an unresolved secret reference (secret.has_secret_ref(auth_conf)). Usinghas_secret_refover the wholeauth_conf(not just the lookup key) also covers plugins whose secret is not the lookup field (e.g.basic-authpassword,jwt-authHS secret). Also removes a latent nil-index case.Test
Added a
key-authregression case: a consumer whose key is an unresolved env ref, then a request sending the literal ref is rejected401. Verified it fails on the old code (returns200) and passes with the fix.Checklist