feat: release 2.13.1

CHANGELOG.md

@@ -23,6 +23,7 @@ title: Changelog
 
 ## Table of Contents
 
+- [2.13.1](#2131)
 - [2.13.0](#2130)
 - [2.12.1](#2121)
 - [2.12.0](#2120)
@@ -54,6 +55,13 @@ title: Changelog
 - [0.7.0](#070)
 - [0.6.0](#060)
 
+## 2.13.1
+
+### Bugfix
+
+- fix: jwt-auth error may leak secret [#6846](https://github.com/apache/apisix/pull/6846)
+- chore: upgrade lua-resty-jwt to a new version [#6847](https://github.com/apache/apisix/pull/6847)
+
 ## 2.13.0
 
 ### Change

apisix/core/version.lua

@@ -20,5 +20,5 @@
 -- @module core.version
 
 return {
-    VERSION = "2.13.0"
+    VERSION = "2.13.1"
 }

apisix/plugins/jwt-auth.lua

@@ -361,7 +361,8 @@ function _M.rewrite(conf, ctx)
     local jwt_obj = jwt:load_jwt(jwt_token)
     core.log.info("jwt object: ", core.json.delay_encode(jwt_obj))
     if not jwt_obj.valid then
-        return 401, {message = jwt_obj.reason}
+        core.log.error("JWT token invalid: ", jwt_obj.reason)
+        return 401, {message = "JWT token invalid"}
     end
 
     local user_key = jwt_obj.payload and jwt_obj.payload.key
@@ -392,7 +393,8 @@ function _M.rewrite(conf, ctx)
     core.log.info("jwt object: ", core.json.delay_encode(jwt_obj))
 
     if not jwt_obj.verified then
-        return 401, {message = jwt_obj.reason}
+        core.log.error("JWT token verify failed: ", jwt_obj.reason)
+        return 401, {message = "JWT token verify failed"}
     end
 
     consumer_mod.attach_consumer(ctx, consumer, consumer_conf)

apisix/utils/batch-processor.lua

@@ -148,7 +148,7 @@ function batch_processor:new(func, config)
         return nil, err
     end
 
-    if not(type(func) == "function") then
+    if type(func) ~= "function" then
         return nil, "Invalid argument, arg #1 must be a function"
     end
 

docs/en/latest/config.json

@@ -1,5 +1,5 @@
 {
-  "version": "2.13.0",
+  "version": "2.13.1",
   "sidebar": [
     {
       "type": "category",

docs/en/latest/how-to-build.md

@@ -97,10 +97,10 @@ Follow the steps below to install Apache APISIX via the source release package.
   curl https://raw.githubusercontent.com/apache/apisix/master/utils/install-dependencies.sh -sL | bash -
   ```
 
-2. Create a directory named `apisix-2.13.0`.
+2. Create a directory named `apisix-2.13.1`.
 
   ```shell
-  APISIX_VERSION='2.13.0'
+  APISIX_VERSION='2.13.1'
   mkdir apisix-${APISIX_VERSION}
   ```
 
@@ -162,7 +162,7 @@ Follow the steps below to install Apache APISIX via the source release package.
 
 #### LTS version installation via Source Release Package
 
-The [current LTS version](https://apisix.apache.org/downloads/) of Apache APISIX is `2.13.0`.
+The [current LTS version](https://apisix.apache.org/downloads/) of Apache APISIX is `2.13.1`.
 
 To install this version, set `APISIX_VERSION` in [Installation via Source Release Package](#installation-via-source-release-package) to this version and continue with the other steps.
 

docs/zh/latest/CHANGELOG.md

@@ -23,6 +23,7 @@ title: CHANGELOG
 
 ## Table of Contents
 
+- [2.13.1](#2131)
 - [2.13.0](#2130)
 - [2.12.1](#2121)
 - [2.12.0](#2120)
@@ -54,6 +55,13 @@ title: CHANGELOG
 - [0.7.0](#070)
 - [0.6.0](#060)
 
+## 2.13.1
+
+### Bugfix
+
+- 修复 jwt-auth 返回结果里可能暴露 secret 的问题 [#6846](https://github.com/apache/apisix/pull/6846)
+- 升级 lua-resty-jwt 到一个新版本 [#6847](https://github.com/apache/apisix/pull/6847)
+
 ## 2.13.0
 
 ### Change

docs/zh/latest/config.json

@@ -1,5 +1,5 @@
 {
-  "version": "2.13.0",
+  "version": "2.13.1",
   "sidebar": [
     {
       "type": "category",

docs/zh/latest/how-to-build.md

@@ -93,10 +93,10 @@ sudo yum install ./apisix/*.rpm
   curl https://raw.githubusercontent.com/apache/apisix/master/utils/install-dependencies.sh -sL | bash -
   ```
 
-2. 创建一个名为 `apisix-2.13.0` 的目录。
+2. 创建一个名为 `apisix-2.13.1` 的目录。
 
   ```shell
-  APISIX_VERSION='2.13.0'
+  APISIX_VERSION='2.13.1'
   mkdir apisix-${APISIX_VERSION}
   ```
 
@@ -158,7 +158,7 @@ sudo yum install ./apisix/*.rpm
 
 #### 通过源码包安装 LTS 版本
 
-目前 Apache APISIX 的 LTS 版本为 `2.13.0`，将“[通过源码包安装](#通过源码包安装)”中的 `APISIX_VERSION` 设置成该版本号，其他步骤按顺序进行即可。
+目前 Apache APISIX 的 LTS 版本为 `2.13.1`，将“[通过源码包安装](#通过源码包安装)”中的 `APISIX_VERSION` 设置成该版本号，其他步骤按顺序进行即可。
 
 ## 步骤2：安装 etcd
 

rockspec/apisix-2.13.1-0.rockspec

@@ -0,0 +1,100 @@
+--
+-- Licensed to the Apache Software Foundation (ASF) under one or more
+-- contributor license agreements.  See the NOTICE file distributed with
+-- this work for additional information regarding copyright ownership.
+-- The ASF licenses this file to You under the Apache License, Version 2.0
+-- (the "License"); you may not use this file except in compliance with
+-- the License.  You may obtain a copy of the License at
+--
+--     http://www.apache.org/licenses/LICENSE-2.0
+--
+-- Unless required by applicable law or agreed to in writing, software
+-- distributed under the License is distributed on an "AS IS" BASIS,
+-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+-- See the License for the specific language governing permissions and
+-- limitations under the License.
+--
+
+package = "apisix"
+version = "2.13.1-0"
+supported_platforms = {"linux", "macosx"}
+
+source = {
+    url = "git://github.com/apache/apisix",
+    branch = "2.13.1",
+}
+
+description = {
+    summary = "Apache APISIX is a cloud-native microservices API gateway, delivering the ultimate performance, security, open source and scalable platform for all your APIs and microservices.",
+    homepage = "https://github.com/apache/apisix",
+    license = "Apache License 2.0",
+}
+
+dependencies = {
+    "lua-resty-ctxdump = 0.1-0",
+    "lua-resty-dns-client = 6.0.2",
+    "lua-resty-template = 2.0",
+    "lua-resty-etcd = 1.6.0",
+    "api7-lua-resty-http = 0.2.0",
+    "lua-resty-balancer = 0.04",
+    "lua-resty-ngxvar = 0.5.2",
+    "lua-resty-jit-uuid = 0.0.7",
+    "lua-resty-healthcheck-api7 = 2.2.0",
+    "lua-resty-jwt = 0.2.0",
+    "lua-resty-hmac-ffi = 0.05",
+    "lua-resty-cookie = 0.1.0",
+    "lua-resty-session = 2.24",
+    "opentracing-openresty = 0.1",
+    "lua-resty-radixtree = 2.8.1",
+    "lua-protobuf = 0.3.4",
+    "lua-resty-openidc = 1.7.2-1",
+    "luafilesystem = 1.7.0-2",
+    "api7-lua-tinyyaml = 0.4.2",
+    "nginx-lua-prometheus = 0.20220127",
+    "jsonschema = 0.9.8",
+    "lua-resty-ipmatcher = 0.6.1",
+    "lua-resty-kafka = 0.07",
+    "lua-resty-logger-socket = 2.0-0",
+    "skywalking-nginx-lua = 0.6.0",
+    "base64 = 1.5-2",
+    "binaryheap = 0.4",
+    "api7-dkjson = 0.1.1",
+    "resty-redis-cluster = 1.02-4",
+    "lua-resty-expr = 1.3.1",
+    "graphql = 0.0.2",
+    "argparse = 0.7.1-1",
+    "luasocket = 3.0rc1-2",
+    "luasec = 0.9-1",
+    "lua-resty-consul = 0.3-2",
+    "penlight = 1.9.2-1",
+    "ext-plugin-proto = 0.4.0",
+    "casbin = 1.26.0",
+    "api7-snowflake = 2.0-1",
+    "inspect == 3.1.1",
+    "lualdap = 1.2.6-1",
+    "lua-resty-rocketmq = 0.3.0-0",
+    "opentelemetry-lua = 0.1-3",
+    "net-url = 0.9-1",
+    "xml2lua = 1.5-2",
+}
+
+build = {
+    type = "make",
+    build_variables = {
+        CFLAGS="$(CFLAGS)",
+        LIBFLAG="$(LIBFLAG)",
+        LUA_LIBDIR="$(LUA_LIBDIR)",
+        LUA_BINDIR="$(LUA_BINDIR)",
+        LUA_INCDIR="$(LUA_INCDIR)",
+        LUA="$(LUA)",
+        OPENSSL_INCDIR="$(OPENSSL_INCDIR)",
+        OPENSSL_LIBDIR="$(OPENSSL_LIBDIR)",
+    },
+    install_variables = {
+        ENV_INST_PREFIX="$(PREFIX)",
+        ENV_INST_BINDIR="$(BINDIR)",
+        ENV_INST_LIBDIR="$(LIBDIR)",
+        ENV_INST_LUADIR="$(LUADIR)",
+        ENV_INST_CONFDIR="$(CONFDIR)",
+    },
+}

rockspec/apisix-master-0.rockspec

@@ -40,7 +40,7 @@ dependencies = {
     "lua-resty-ngxvar = 0.5.2",
     "lua-resty-jit-uuid = 0.0.7",
     "lua-resty-healthcheck-api7 = 2.2.0",
-    "lua-resty-jwt = 0.2.0",
+    "api7-lua-resty-jwt = 0.2.4",
     "lua-resty-hmac-ffi = 0.05",
     "lua-resty-cookie = 0.1.0",
     "lua-resty-session = 2.24",

t/plugin/jwt-auth.t

@@ -214,7 +214,9 @@ GET /hello
 GET /hello?jwt=invalid-eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJrZXkiOiJ1c2VyLWtleSIsImV4cCI6MTU2Mzg3MDUwMX0.pPNVvh-TQsdDzorRwa-uuiLYiEBODscp9wv0cwD6c68
 --- error_code: 401
 --- response_body
-{"message":"invalid header: invalid-eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9"}
+{"message":"JWT token invalid"}
+--- error_log
+JWT token invalid: invalid header: invalid-eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9
 
 
 
@@ -223,7 +225,9 @@ GET /hello?jwt=invalid-eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJrZXkiOiJ1c2VyLWtl
 GET /hello?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJrZXkiOiJ1c2VyLWtleSIsImV4cCI6MTU2Mzg3MDUwMX0.pPNVvh-TQsdDzorRwa-uuiLYiEBODscp9wv0cwD6c68
 --- error_code: 401
 --- response_body
-{"message":"'exp' claim expired at Tue, 23 Jul 2019 08:28:21 GMT"}
+{"message":"JWT token verify failed"}
+--- error_log
+JWT token verify failed: 'exp' claim expired at Tue, 23 Jul 2019 08:28:21 GMT
 
 
 
@@ -274,7 +278,9 @@ GET /hello
 Authorization: bearer invalid-eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJrZXkiOiJ1c2VyLWtleSIsImV4cCI6MTg3OTMxODU0MX0.fNtFJnNmJgzbiYmGB0Yjvm-l6A6M4jRV1l4mnVFSYjs
 --- error_code: 401
 --- response_body
-{"message":"invalid header: invalid-eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9"}
+{"message":"JWT token invalid"}
+--- error_log
+JWT token invalid: invalid header: invalid-eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9
 
 
 
@@ -425,7 +431,9 @@ hello world
 GET /hello?jwt=invalid-eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJrZXkiOiJ1c2VyLWtleSIsImV4cCI6MTU2Mzg3MDUwMX0.pPNVvh-TQsdDzorRwa-uuiLYiEBODscp9wv0cwD6c68
 --- error_code: 401
 --- response_body
-{"message":"invalid header: invalid-eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9"}
+{"message":"JWT token invalid"}
+--- error_log
+JWT token invalid: invalid header: invalid-eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9
 
 
 
@@ -436,7 +444,9 @@ GET /hello
 Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJrZXkiOiJ1c2VyLWtleSIsImV4cCI6MTg3OTMxODU0MX0.fNtFJnNmJgzbiYmGB0Yjvm-l6A6M4jRV1l4mnVFSYjs
 --- error_code: 401
 --- response_body
-{"message":"signature mismatch: fNtFJnNmJgzbiYmGB0Yjvm-l6A6M4jRV1l4mnVFSYjs"}
+{"message":"JWT token verify failed"}
+--- error_log
+JWT token verify failed: signature mismatch: fNtFJnNmJgzbiYmGB0Yjvm-l6A6M4jRV1l4mnVFSYjs