-
-
Notifications
You must be signed in to change notification settings - Fork 348
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: noop mutator don't overwrite session headers #1091
Conversation
Codecov Report
@@ Coverage Diff @@
## master #1091 +/- ##
==========================================
- Coverage 78.24% 78.17% -0.08%
==========================================
Files 80 80
Lines 3843 3853 +10
==========================================
+ Hits 3007 3012 +5
- Misses 564 566 +2
- Partials 272 275 +3
|
a555a26
to
b657de3
Compare
Friendly ping @zepatrik maybe you can also have a look here. |
Signed-off-by: David van der Spek <vanderspek.david@gmail.com>
Signed-off-by: David van der Spek <vanderspek.david@gmail.com>
b657de3
to
206e1e1
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry for the long review, this LGTM!
No problem at all :) |
This PR changes the
noop
mutator so that it doesn't overwrite the current session headers with the request headers.When using the remote_json authorizer, it is possible to configure headers returned by the remote authorizer that will be forwarded to upstream services with the
forward_response_headers_to_upstream
field. This effectively allows the authorizer to also act as a mutator. Since rules must contain a mutator, if no further mutations need to be performed you would specify thenoop
mutator. However, since thenoop
mutator is setting the session headers to be equal to the request headers, this effectively overwrites the headers set by theremote_json
authorizer.Related issue(s)
Checklist
introduces a new feature.
contributing code guidelines.
vulnerability. If this pull request addresses a security vulnerability, I
confirm that I got the approval (please contact
security@ory.sh) from the maintainers to push
the changes.
works.
Further Comments