response-rewrite rewrite the response from apisix

[liuxiran]

Issue description

Environment

• apisix version (cmd: apisix version): latest master branch
• OS: Fedora32

Minimal test code / Steps to reproduce the issue

1. Create a route, enable key-auth and response-rewrite plugins

$ curl http://127.0.0.1:9080/apisix/admin/routes -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X POST -d '{"uri": "/get","methods": ["GET"],"upstream": {"type": "roundrobin","nodes": {"httpbin.org:443": 1}},"plugins": {"proxy-rewrite": {"uri": "\/get","scheme": "https"},"key-auth": {},"response-rewrite": {"status_code": 200,"body": "{\"code\": 200, \"msg\": \"success\"}"}}}'

2. Create a consumer, enable key-auth plugin with key:auth-one

$ curl http://127.0.0.1:9080/apisix/admin/consumers/2  -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT  -d '{"username": "jack","plugins": {"key-auth": {"key": "auth-one"}}}'

3. Access the route /get with the right key

$ curl http://127.0.0.1:9080/get -H 'apikey:auth-one'
{"code": 200, "msg": "success"}

4. Access the route /get without the key

$ curl http://127.0.0.1:9080/get
{"code": 200, "msg": "success"}

What's the expected result?

When perform step4, the request did not pass the authentication, and it should not be sent to upstream service, the expected result would be {"message":"Missing API key found in request"} returned by apisix.

[idbeta]

I think it’s because of the priority of the plugins, response-rewrite is executed last.

[imjoey]

@liuxiran @idbeta In this situation, we could interrupt the execution of the current request. Maybe calling ngx.exit(ngx.HTTP_UNAUTHORIZED) with a customize error message is a good choice.

[imjoey]

I have the same issue. Here is the error log:

2020/11/11 16:12:42 [error] 79187#10158440: *778 attempt to set status 401 via ngx.exit after sending out the response status 200, client: 127.0.0.1, server: , request: "GET /get HTTP/1.1", host: "127.0.0.1:9080"

[Miss-you]

ngx.exit will interrupt the execution of the current request and return status code to Nginx.

However, if you execute ngx.exit during the access phase, it only interrupts the request processing phase, and the response phase will still process it, i.e. if you configure the response-rerite plugin, it will force overwriting of your response information (e.g. rsp code).

[imjoey]

ngx.exit will interrupt the execution of the current request and return status code to Nginx.

However, if you execute ngx.exit during the access phase, it only interrupts the request processing phase, and the response phase will still process it, i.e. if you configure the response-rerite plugin, it will force overwriting of your response information (e.g. rsp code).

@Miss-you your explanation is lifesaving. Much appreciated.

[liuxiran]

ngx.exit will interrupt the execution of the current request and return status code to Nginx.

However, if you execute ngx.exit during the access phase, it only interrupts the request processing phase, and the response phase will still process it, i.e. if you configure the response-rerite plugin, it will force overwriting of your response information (e.g. rsp code).

Thanks for your instructions @Miss-you , we will try to feedback to the issue you mentioned after further digestion.

So the above problem I think is not a bug, it may considered as an enhancement that response rewrite only rewrite the response comes from upstream.

[Miss-you]

done
#2721