From 6c1c9268e3d543f91b99cf740b703ab5667b2546 Mon Sep 17 00:00:00 2001 From: Ryan Northey Date: Mon, 15 Jan 2024 09:26:46 +0000 Subject: [PATCH] cleanups Signed-off-by: Ryan Northey --- docs/root/start/sandboxes/single-page-app.rst | 8 +++++--- examples/single-page-app/myhub/api.py | 2 +- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/docs/root/start/sandboxes/single-page-app.rst b/docs/root/start/sandboxes/single-page-app.rst index d41430f77b19..d408748155a7 100644 --- a/docs/root/start/sandboxes/single-page-app.rst +++ b/docs/root/start/sandboxes/single-page-app.rst @@ -52,10 +52,12 @@ to ``true`` .. warning:: Setting :ref:`forward_bearer_token ` - means the provided access token will be forwarded to upstreams proxied by Envoy unless explicitly excluded. + means the provided access token will be forwarded to any cluster/upstreams proxied by Envoy for this HTTP filter chain.. - This can be avoided by disabling the OAuth2 filter with - :ref:`per-route configuration `. + If untrusted upstreams are present, care will need to be taken to remove any sensitive cookies, such as ``BearerToken``. + + This can be achieved by setting :ref:`request_headers_to_remove ` + for the affected route. A dummy "Myhub" backend is provided with a minimal OAuth provider and API for use in the example. diff --git a/examples/single-page-app/myhub/api.py b/examples/single-page-app/myhub/api.py index 8dda891e0681..2204dc08e40b 100755 --- a/examples/single-page-app/myhub/api.py +++ b/examples/single-page-app/myhub/api.py @@ -17,6 +17,7 @@ from shared import Data, debug_request, TokenStorage +logger = logging.getLogger(__name__) MYHUB_URL = os.environ.get("MYHUB_URL") or "http://localhost:7000" # TODO: add to app @@ -42,7 +43,6 @@ async def resources(request): resource_type = request.match_info["resource"] debug_request(request, resource_type) _data = Data(pathlib.Path(os.environ["DATA_PATH"])) - logger = logging.getLogger(__name__) access_token = request.cookies.get("BearerToken") allowed = ( access_token