feat: add support for extra_headers in forward-auth plugin (#12405)

Revolyssup · web-flow · commit eed93f315c91 · 2025-07-14T12:35:21.000+05:30
diff --git a/apisix/plugins/forward-auth.lua b/apisix/plugins/forward-auth.lua
@@ -15,9 +15,12 @@
 -- limitations under the License.
 --
 
-local ipairs = ipairs
-local core   = require("apisix.core")
-local http   = require("resty.http")
+local ipairs   = ipairs
+local core     = require("apisix.core")
+local http     = require("resty.http")
+local pairs    = pairs
+local type     = type
+local tostring = tostring
 
 local schema = {
     type = "object",
@@ -41,6 +44,20 @@ local schema = {
             items = {type = "string"},
             description = "client request header that will be sent to the authorization service"
         },
+        extra_headers = {
+            type = "object",
+            minProperties = 1,
+            patternProperties = {
+                ["^[^:]+$"] = {
+                    type = "string",
+                    description = "header value as a string; may contain variables"
+                                  .. "like $remote_addr, $request_uri"
+                }
+            },
+            description = "extra headers sent to the authorization service; "
+                        .. "values must be strings and can include variables"
+                        .. "like $remote_addr, $request_uri."
+        },
         upstream_headers = {
             type = "array",
             default = {},
@@ -102,6 +119,22 @@ function _M.access(conf, ctx)
         auth_headers["Content-Encoding"] = core.request.header(ctx, "content-encoding")
     end
 
+    if conf.extra_headers then
+        for header, value in pairs(conf.extra_headers) do
+            if type(value) == "number" then
+                value = tostring(value)
+            end
+            local resolve_value, err = core.utils.resolve_var(value, ctx.var)
+            if not err then
+                auth_headers[header] = resolve_value
+            end
+            if err then
+                core.log.error("failed to resolve variable in extra header '",
+                                header, "': ",value,": ",err)
+            end
+        end
+    end
+
     -- append headers that need to be get from the client request header
     if #conf.request_headers > 0 then
         for _, header in ipairs(conf.request_headers) do
diff --git a/docs/en/latest/plugins/forward-auth.md b/docs/en/latest/plugins/forward-auth.md
@@ -40,8 +40,9 @@ This Plugin moves the authentication and authorization logic to a dedicated exte
 | ----------------- | ------------- | -------- | ------- | -------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------- |
 | uri               | string        | True     |         |                | URI of the authorization service.                                                                                                                          |
 | ssl_verify        | boolean       | False    | true    |                | When set to `true`, verifies the SSL certificate.                                                                                                          |
-| request_method    | string        | False    | GET     | ["GET","POST"] | HTTP method for a client to send requests to the authorization service. When set to `POST` the request body is send to the authorization service.          |
+| request_method    | string        | False    | GET     | ["GET","POST"] | HTTP method for a client to send requests to the authorization service. When set to `POST` the request body is sent to the authorization service. (not recommended - see section on [Using data from POST body](#using-data-from-post-body-to-make-decision-on-authorization-service)) |
 | request_headers   | array[string] | False    |         |                | Client request headers to be sent to the authorization service. If not set, only the headers provided by APISIX are sent (for example, `X-Forwarded-XXX`). |
+| extra_headers   |object | False    |         |                | Extra headers to be sent to the authorization service passed in key-value format. The value can be a variable like `$request_uri`, `$post_arg.xyz` |
 | upstream_headers  | array[string] | False    |         |                | Authorization service response headers to be forwarded to the Upstream. If not set, no headers are forwarded to the Upstream service.                      |
 | client_headers    | array[string] | False    |         |                | Authorization service response headers to be sent to the client when authorization fails. If not set, no headers will be sent to the client.               |
 | timeout           | integer       | False    | 3000ms  | [1, 60000]ms   | Timeout for the authorization service HTTP call.                                                                                                           |
@@ -166,6 +167,110 @@ HTTP/1.1 403 Forbidden
 Location: http://example.com/auth
 ```
 
+### Using data from POST body to make decision on Authorization service
+
+::: note
+When the decision is to be made on the basis of POST body, then it is recommended to use `$post_arg.*` with `extra_headers` field and make the decision on Authorization service on basis of headers rather than using POST `request_method` to pass the entire request body to Authorization service.
+:::
+
+Create a serverless function on the `/auth` route that checks for the presence of the `tenant_id` header. If present, the route responds with HTTP 200 and sets the `X-User-ID` header to a fixed value `i-am-an-user`. If `tenant_id` is missing, it returns HTTP 400 with an error message.
+
+```shell
+curl -X PUT 'http://127.0.0.1:9180/apisix/admin/routes/auth' \
+    -H "X-API-KEY: $admin_key" \
+    -H 'Content-Type: application/json' \
+    -d '{
+    "uri": "/auth",
+    "plugins": {
+        "serverless-pre-function": {
+            "phase": "rewrite",
+            "functions": [
+                "return function(conf, ctx)
+                 local core = require(\"apisix.core\")
+                 if core.request.header(ctx, \"tenant_id\") then
+                     core.response.set_header(\"X-User-ID\", \"i-am-an-user\");
+                     core.response.exit(200);
+                else
+                    core.response.exit(400, \"tenant_id is required\")
+                end
+            end"
+            ]
+        }
+    }
+}'
+```
+
+Create a route that accepts POST requests and uses the `forward-auth` plugin to call the auth endpoint with the `tenant_id` from the request. The request is forwarded to the upstream service only if the auth check returns 200.
+
+```shell
+curl -X PUT 'http://127.0.0.1:9180/apisix/admin/routes/1' \
+    -H "X-API-KEY: $admin_key" \
+    -d '{
+    "uri": "/post",
+    "methods": ["POST"],
+    "plugins": {
+        "forward-auth": {
+            "uri": "http://127.0.0.1:9080/auth",
+            "request_method": "GET",
+            "extra_headers": {"tenant_id": "$post_arg.tenant_id"}
+        }
+    },
+    "upstream": {
+        "nodes": {
+            "httpbin.org:80": 1
+        },
+        "type": "roundrobin"
+    }
+}'
+```
+
+Send a POST request with the `tenant_id` header:
+
+```shell
+curl -i http://127.0.0.1:9080/post -X POST -d '{
+   "tenant_id": 123
+}'
+```
+
+You should receive an `HTTP/1.1 200 OK` response similar to the following:
+
+```json
+{
+  "args": {},
+  "data": "",
+  "files": {},
+  "form": {
+    "{\n   \"tenant_id\": 123\n}": ""
+  },
+  "headers": {
+    "Accept": "*/*",
+    "Content-Length": "23",
+    "Content-Type": "application/x-www-form-urlencoded",
+    "Host": "127.0.0.1",
+    "User-Agent": "curl/8.13.0",
+    "X-Amzn-Trace-Id": "Root=1-686b6e3f-2fdeff70183e71551f5c5729",
+    "X-Forwarded-Host": "127.0.0.1"
+  },
+  "json": null,
+  "origin": "127.0.0.1, 106.215.83.33",
+  "url": "http://127.0.0.1/post"
+}
+```
+
+Send a POST request without the `tenant_id` header:
+
+```shell
+ curl -i http://127.0.0.1:9080/post -X POST -d '{
+   "abc": 123
+}'
+```
+
+You should receive an `HTTP/1.1 400 Bad Request` response with the following message:
+
+```shell
+tenant_id is required
+```
+
 ## Delete Plugin
 
 To remove the `forward-auth` Plugin, you can delete the corresponding JSON configuration from the Plugin configuration. APISIX will automatically reload and you do not have to restart for this to take effect.
diff --git a/docs/zh/latest/plugins/forward-auth.md b/docs/zh/latest/plugins/forward-auth.md
@@ -39,8 +39,9 @@ description: 本文介绍了关于 Apache APISIX `forward-auth` 插件的基本
 | ----------------- | ------------- | ------| ------- | -------------- | -------------------------------------------------------------------------------------------------------------------- |
 | uri               | string        | 是    |         |                | 设置 `authorization` 服务的地址 (例如：https://localhost:9188)。                                                      |
 | ssl_verify        | boolean       | 否    | true    | [true, false]  | 当设置为 `true` 时，验证 SSL 证书。                                                                                  |
-| request_method    | string        | 否    | GET     | ["GET","POST"] | 客户端向 `authorization` 服务发送请求的方法。当设置为 POST 时，会将 `request body` 转发至 `authorization` 服务。         |
+| request_method    | string        | 否    | GET     | ["GET","POST"] | 客户端向 authorization 服务发送请求的方法。当设置为 POST 时，会将 request body 转发至 authorization 服务。         |
 | request_headers   | array[string] | 否    |         |                | 设置需要由客户端转发到 `authorization` 服务的请求头。如果没有设置，则只发送 APISIX 提供的 headers (例如：X-Forwarded-XXX)。 |
+| extra_headers   |object | False    |         |                | 以键值格式传递给授权服务的额外标头。值可以是变量，例如“$request_uri”或“$post_arg.xyz”。 |
 | upstream_headers  | array[string] | 否    |         |                | 认证通过时，设置 `authorization` 服务转发至 `upstream` 的请求头。如果不设置则不转发任何请求头。                             |
 | client_headers    | array[string] | 否    |         |                | 认证失败时，由 `authorization` 服务向 `client` 发送的响应头。如果不设置则不转发任何响应头。                                |
 | timeout           | integer       | 否    | 3000ms  | [1, 60000]ms   | `authorization` 服务请求超时时间。                                                                                     |
@@ -168,6 +169,110 @@ HTTP/1.1 403 Forbidden
 Location: http://example.com/auth
 ```
 
+### Using data from POST body to make decision on Authorization service
+
+::: note
+当要根据 POST 正文做出决定时，建议使用带有 `extra_headers` 字段的 `$post_arg.*` 并根据标头对授权服务做出决定，而不是使用 POST `request_method` 将整个请求正文传递给授权服务。
+:::
+
+在 `/auth` 路由上创建一个无服务器函数，用于检查 `tenant_id` 标头是否存在。如果存在，路由会使用 HTTP 200 进行响应，并将 `X-User-ID` 标头设置为固定值 `i-am-an-user`。如果缺少 `tenant_id`，则会返回 HTTP 400 和错误消息。
+
+```shell
+curl -X PUT 'http://127.0.0.1:9180/apisix/admin/routes/auth' \
+    -H "X-API-KEY: $admin_key" \
+    -H 'Content-Type: application/json' \
+    -d '{
+    "uri": "/auth",
+    "plugins": {
+        "serverless-pre-function": {
+            "phase": "rewrite",
+            "functions": [
+                "return function(conf, ctx)
+                 local core = require(\"apisix.core\")
+                 if core.request.header(ctx, \"tenant_id\") then
+                     core.response.set_header(\"X-User-ID\", \"i-am-an-user\");
+                     core.response.exit(200);
+                else
+                    core.response.exit(400, \"tenant_id is required\")
+                end
+            end"
+            ]
+        }
+    }
+}'
+```
+
+创建一个接受 POST 请求的路由，并使用 `forward-auth` 插件通过请求中的 `tenant_id` 调用身份验证端点。只有当身份验证检查返回 200 时，请求才会转发到上游服务。
+
+```shell
+curl -X PUT 'http://127.0.0.1:9180/apisix/admin/routes/1' \
+    -H "X-API-KEY: $admin_key" \
+    -d '{
+    "uri": "/post",
+    "methods": ["POST"],
+    "plugins": {
+        "forward-auth": {
+            "uri": "http://127.0.0.1:9080/auth",
+            "request_method": "GET",
+            "extra_headers": {"tenant_id": "$post_arg.tenant_id"}
+        }
+    },
+    "upstream": {
+        "nodes": {
+            "httpbin.org:80": 1
+        },
+        "type": "roundrobin"
+    }
+}'
+```
+
+发送带有 `tenant_id` 标头的 POST 请求：
+
+```shell
+curl -i http://127.0.0.1:9080/post -X POST -d '{
+   "tenant_id": 123
+}'
+```
+
+您应该收到类似以下内容的 `HTTP/1.1 200 OK` 响应：
+
+```json
+{
+  "args": {},
+  "data": "",
+  "files": {},
+  "form": {
+    "{\n   \"tenant_id\": 123\n}": ""
+  },
+  "headers": {
+    "Accept": "*/*",
+    "Content-Length": "23",
+    "Content-Type": "application/x-www-form-urlencoded",
+    "Host": "127.0.0.1",
+    "User-Agent": "curl/8.13.0",
+    "X-Amzn-Trace-Id": "Root=1-686b6e3f-2fdeff70183e71551f5c5729",
+    "X-Forwarded-Host": "127.0.0.1"
+  },
+  "json": null,
+  "origin": "127.0.0.1, 106.215.83.33",
+  "url": "http://127.0.0.1/post"
+}
+```
+
+发送不带 `tenant_id` 标头的 POST 请求：
+
+```shell
+ curl -i http://127.0.0.1:9080/post -X POST -d '{
+   "abc": 123
+}'
+```
+
+您应该收到包含以下消息的 `HTTP/1.1 400 Bad Request` 响应：
+
+```shell
+tenant_id is required
+```
+
 ## 删除插件
 
 当你需要禁用 `forward-auth` 插件时，可以通过以下命令删除相应的 JSON 配置，APISIX 将会自动重新加载相关配置，无需重启服务：
diff --git a/t/plugin/forward-auth.t b/t/plugin/forward-auth.t
