Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OAuth plugin returns Unexpected error #1710

Closed
nevalla opened this issue Oct 5, 2016 · 5 comments · Fixed by #1915
Closed

OAuth plugin returns Unexpected error #1710

nevalla opened this issue Oct 5, 2016 · 5 comments · Fixed by #1915
Labels
plugins/oauth2

Comments

@nevalla
Copy link

nevalla commented Oct 5, 2016
edited
Loading

Summary

When trying to do a GET request to an OAuth secured API with Content-Type: application/json header, Kong returns "An unexpected error occurred" with status 500. Don't see any errors on the logs. Other values than application/json work as expected.

Steps To Reproduce

  1. Create an API
  2. Add OAuth plugin
  3. Create GET request with Content-Type: application/json header

Additional Details & Logs

  • Kong version 0.9.1, 0.9.2
@Tieske
Copy link
Member

Tieske commented Oct 5, 2016

Does it also happen with 0.9.2?

@nevalla
Copy link
Author

nevalla commented Oct 5, 2016

Just tested and answer is yes

@mleace
Copy link

mleace commented Oct 5, 2016

Trouble is in that Kong tries to parse request body as application/json using CJSON module and it fails (empty body is not valid JSON) - see plugins/oauth2/access.lua, line 96.

IMO, in general Kong should return HTTP status 400 Bad Request when it fails to parse body instead of 500 (as it is a client error, not server's). Empty body is a special case, and I would suggest checking Content-Length header is greater than 0 before trying to parse the body - so that empty-body request will pass regardless of Content-Type.

@edwardjrp
Copy link

edwardjrp commented Oct 7, 2016
edited
Loading

Kong version kong/0.9.1.

I got into the same issue. Content-Type can be sent on any type of request (i.e. POST, GET,PUT, etc) thats the normal behavior for a RESTful api. This just identify that everything being sent is JSON format.

The code is assuming that if content type is application/json then is a request with a body.

On GET request there is no body so when the Content-Type is set it will get a nil because there is not body in it, plugins/oauth2/access.lua:97: bad argument #1 to 'decode' (string expected, got nil).

A possibility for improvement is accepting application/json content-type regardless and ignore body request params for the http methods that don't have one like (GET, COPY, HEAD, PURGE and UNLOCK)

@eddmann
Copy link
Contributor

eddmann commented Nov 29, 2016

We have encountered this problem to and I have published a PR which should hopefully address the issue: #1853

As a temporary measure we have added a custom nginx config. which includes the following before kong does it's access invocation.

location / {
    // ...

    lua_need_request_body on;

    access_by_lua_block {
        local content_type = ngx.req.get_headers()["Content-Type"]
        local is_json_request = content_type and string.find(string.lower(content_type), "application/json", nil, true)
        if is_json_request and ngx.req.get_body_data() == nil then
            ngx.req.set_body_data("{}")
        end

        kong.access()
    }

    // ...
}

@subnetmarco subnetmarco mentioned this issue Dec 21, 2016
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
plugins/oauth2
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

hotfix(oauth2) safely parse body even when empty Kong/kong
7 participants
@nevalla @edwardjrp @eddmann @bungle @Tieske @thibaultcha @mleace