apache
bug: key-auth plugin is not working as expected
Current Behavior
I have created 2 routes - one for GET and one for POST. Both have the same URI. I have attached the key-auth plugin to both routes and used 2 different keys for the paths.
here are the paths:
{
"total": 2,
"list": [
{
"key": "/apisix/routes/anythingGET",
"modifiedIndex": 934,
"createdIndex": 918,
"value": {
"methods": [
"GET"
],
"update_time": 1724333443,
"id": "anythingGET",
"plugins": {
"key-auth": {
"query": "apikey",
"key": "my-key1",
"header": "apikey",
"hide_credentials": false
}
},
"status": 1,
"service_id": "1",
"create_time": 1724332383,
"priority": 0,
"upstream_id": "anythingGET",
"uri": "/anything/*"
}
},
{
"key": "/apisix/routes/anythingPOST",
"modifiedIndex": 938,
"createdIndex": 922,
"value": {
"methods": [
"POST"
],
"update_time": 1724333443,
"id": "anythingPOST",
"plugins": {
"key-auth": {
"query": "apikey",
"key": "my-key2",
"header": "apikey",
"hide_credentials": false
}
},
"status": 1,
"service_id": "1",
"create_time": 1724332383,
"priority": 0,
"upstream_id": "anythingPOST",
"uri": "/anything/*"
}
}
]
}
```
When I test the API for the GET call, both keys are working.
Expected result, only my-key1 should work.
```
curl --location 'http://127.0.0.1:9080/anything/1' \
--header 'apikey: my-key2'
```- WORKING (NOT expected)
```
curl --location 'http://127.0.0.1:9080/anything/1' \
--header 'apikey: my-key1'
```- WORKING (as expected)
```
curl --location 'http://127.0.0.1:9080/anything/1' \
--header 'apikey: my-key3'
```- NOT WORKING (as expected)
### Expected Behavior
Only the specific apikey should work
### Error Logs
_No response_
### Steps to Reproduce
1. create 2 routes with the same URI, but different HTTP verbs
2. add key-auth plugins to them with differnt keys for different verbs
3. test the APIs, the keys will work for both verbs
### Environment
- APISIX version (run `apisix version`): 3.9.1
- Operating system (run `uname -a`):
Linux aabdc6e863e8 6.4.16-linuxkit #1 SMP PREEMPT_DYNAMIC Thu Nov 16 10:55:59 UTC 2023 x86_64 GNU/Linux
- OpenResty / Nginx version (run `openresty -V` or `nginx -V`):
nginx version: openresty/1.25.3.1
built by gcc 10.2.1 20210110 (Debian 10.2.1-6)
built with OpenSSL 3.2.0 23 Nov 2023
- etcd version, if relevant (run `curl http://127.0.0.1:9090/v1/server_info`): NA
- APISIX Dashboard version, if relevant: NA
- Plugin runner version, for issues related to plugin runners: NA
- LuaRocks version, for installation issues (run `luarocks --version`): NA
Update, i tried changing the service id to unique ones with plugins -
{ "key": "/apisix/services/anythingGET", "modifiedIndex": 948, "createdIndex": 939, "value": { "plugins": { "key-auth": { "query": "apikey", "key": "my-key1", "header": "apikey", "hide_credentials": false } }, "create_time": 1724335693, "update_time": 1724335849, "id": "anythingGET" } }, { "key": "/apisix/services/anythingPOST", "modifiedIndex": 947, "createdIndex": 943, "value": { "plugins": { "key-auth": { "query": "apikey", "key": "my-key2", "header": "apikey", "hide_credentials": false } }, "create_time": 1724335693, "update_time": 1724335837, "id": "anythingPOST" } }
Consumers -
{ "total": 2, "list": [ { "key": "/apisix/consumers/anythingGET", "modifiedIndex": 940, "createdIndex": 684, "value": { "plugins": { "key-auth": { "key": "my-key1" } }, "username": "anythingGET", "update_time": 1724335693, "create_time": 1724240495 } }, { "key": "/apisix/consumers/anythingPOST", "modifiedIndex": 944, "createdIndex": 687, "value": { "plugins": { "key-auth": { "key": "my-key2" } }, "username": "anythingPOST", "update_time": 1724335693, "create_time": 1724240495 } } ] }
Routes -
{ "total": 2, "list": [ { "key": "/apisix/routes/anythingGET", "modifiedIndex": 942, "createdIndex": 918, "value": { "methods": [ "GET" ], "update_time": 1724335693, "id": "anythingGET", "plugins": { "key-auth": { "query": "apikey", "key": "my-key1", "header": "apikey", "hide_credentials": false } }, "status": 1, "service_id": "anythingGET", "create_time": 1724332383, "priority": 0, "upstream_id": "anythingGET", "uri": "/anything/*" } }, { "key": "/apisix/routes/anythingPOST", "modifiedIndex": 946, "createdIndex": 922, "value": { "methods": [ "POST" ], "update_time": 1724335694, "id": "anythingPOST", "plugins": { "key-auth": { "query": "apikey", "key": "my-key2", "header": "apikey", "hide_credentials": false } }, "status": 1, "service_id": "anythingPOST", "create_time": 1724332383, "priority": 0, "upstream_id": "anythingPOST", "uri": "/anything/*" } } ] }
Still the bug is seen
Perhaps you can use the consumer-restriction plugin to implement your requirements. https://apisix.apache.org/docs/apisix/plugins/consumer-restriction/
Perhaps you can use the
consumer-restrictionplugin to implement your requirements. https://apisix.apache.org/docs/apisix/plugins/consumer-restriction/
@ronething For example?
