fix(attach-consumer-label): always drop client-supplied configured headers#13590
Open
shreemaan-abhishek wants to merge 2 commits into
Open
fix(attach-consumer-label): always drop client-supplied configured headers#13590shreemaan-abhishek wants to merge 2 commits into
shreemaan-abhishek wants to merge 2 commits into
Conversation
dosubot
Bot
added
the
size:M
… e2e test Clear the configured headers only on the no-label early-return path and keep a single set loop when labels exist (the set already overwrites any client-supplied value). Replace the direct before_proxy unit test with an end-to-end request that asserts the client-supplied header is absent from what the upstream actually receives.
dosubot
Bot
added
size:L
nic-6443
approved these changes
Jun 23, 2026
membphis
approved these changes
Jun 23, 2026
AlinsRan
approved these changes
Jun 24, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
The
attach-consumer-labelplugin sets configured headers (e.g.X-Consumer-Role: $role) from the authenticated consumer's labels so Upstream services can rely on the gateway-set value. It is meant to overwrite any value a client sent for those header names, so the Upstream only ever sees the gateway-set value.Today that overwrite only happens when the consumer has a non-empty
labelsmap.before_proxyreturns early whenctx.consumeris absent orctx.consumer.labelsisnil, so a client-supplied value of a configured header (e.g. an inboundX-Consumer-Role) is forwarded to the Upstream unchanged instead of being cleared.labelsis optional, and a consumer created without it stores nolabelsfield at all, i.e.nil— this is the default, common state. A consumer that was created with labels and later updated without them also ends up withlabels = nil. Both cases hit the early return and skip the overwrite. (A consumer that has labels is unaffected even when the referenced key is missing, because the loop then sets the header tonil.) So the gap applies to the ordinary no-labels population, not a rare edge case.This change clears every configured header name when the consumer has no labels, so the Upstream only ever sees the gateway-set value. When the consumer has labels, the existing set loop already overwrites any client-supplied value, so a single pass suffices. This matches the existing behavior of sibling plugins such as
forward-auth,opa, andopenid-connect, which clear their managed headers.An end-to-end test case (TEST 16/17) is added: it authenticates a consumer that has no labels, sends a client-supplied copy of a configured header, and asserts via
/print_request_receivedthat the header is absent from what the Upstream actually receives. It fails before this change and passes after. Docs are updated to state that a client-supplied value of a configured header is always removed first.Which issue(s) this PR fixes:
Fixes #
Checklist