Nginx passes Skynet-Api-Key and Authorization headers at all spots where it passes the Cookie header.

2022-03-10 18:11:37 +01:00 · 2022-03-10 18:11:37 +01:00 · 2db648b0ad
parent 061770a95a
commit 2db648b0ad
5 changed files with 31 additions and 11 deletions
--- a/docker/nginx/conf.d/include/track-download
+++ b/docker/nginx/conf.d/include/track-download
@ -11,7 +11,11 @@ log_by_lua_block {
            -- 10.10.10.70 points to accounts service (alias not available when using resty-http)
            local res, err = httpc:request_uri("http://10.10.10.70:3000/track/download/" .. skylink .. "?" .. query, {
                method = "POST",
-                headers = { ["Cookie"] = "skynet-jwt=" .. jwt },
+                headers = {
+                    ["Cookie"] = "skynet-jwt=" .. jwt,
+                    ["Authorization"] = ngx.header["Authorization"],
+                    ["Skynet-Api-Key"] = ngx.header["Skynet-Api-Key"],
+                },
            })

            if err or (res and res.status ~= ngx.HTTP_NO_CONTENT) then
--- a/docker/nginx/conf.d/include/track-registry
+++ b/docker/nginx/conf.d/include/track-registry
@ -7,16 +7,20 @@ log_by_lua_block {

            local httpc = require("resty.http").new()

-            -- based on request method we assign a registry action string used 
+            -- based on request method we assign a registry action string used
            -- in track endpoint namely "read" for GET and "write" for POST
            local registry_action = request_method == "GET" and "read" or "write"

            -- 10.10.10.70 points to accounts service (alias not available when using resty-http)
            local res, err = httpc:request_uri("http://10.10.10.70:3000/track/registry/" .. registry_action, {
                method = "POST",
-                headers = { ["Cookie"] = "skynet-jwt=" .. jwt },
+                headers = {
+                    ["Cookie"] = "skynet-jwt=" .. jwt,
+                    ["Authorization"] = ngx.header["Authorization"],
+                    ["Skynet-Api-Key"] = ngx.header["Skynet-Api-Key"],
+                },
            })
-            
+
            if err or (res and res.status ~= ngx.HTTP_NO_CONTENT) then
                ngx.log(ngx.ERR, "Failed accounts service request /track/registry/" .. registry_action .. ": ", err or ("[HTTP " .. res.status .. "] " .. res.body))
            end
--- a/docker/nginx/conf.d/include/track-upload
+++ b/docker/nginx/conf.d/include/track-upload
@ -10,7 +10,11 @@ log_by_lua_block {
            -- 10.10.10.70 points to accounts service (alias not available when using resty-http)
            local res, err = httpc:request_uri("http://10.10.10.70:3000/track/upload/" .. skylink, {
                method = "POST",
-                headers = { ["Cookie"] = "skynet-jwt=" .. jwt },
+                headers = {
+                    ["Cookie"] = "skynet-jwt=" .. jwt,
+                    ["Authorization"] = ngx.header["Authorization"],
+                    ["Skynet-Api-Key"] = ngx.header["Skynet-Api-Key"],
+                },
            })

            if err or (res and res.status ~= ngx.HTTP_NO_CONTENT) then
--- a/docker/nginx/conf.d/server/server.api
+++ b/docker/nginx/conf.d/server/server.api
@ -178,7 +178,11 @@ location /skynet/registry/subscription {

            -- fetch account limits and set download bandwidth and registry delays accordingly
            local res, err = httpc:request_uri("http://10.10.10.70:3000/user/limits", {
-                headers = { ["Cookie"] = "skynet-jwt=" .. ngx.var.skynet_jwt }
+                headers = {
+                    ["Cookie"] = "skynet-jwt=" .. ngx.var.skynet_jwt,
+                    ["Authorization"] = ngx.header["Authorization"],
+                    ["Skynet-Api-Key"] = ngx.header["Skynet-Api-Key"],
+                }
            })

            -- fail gracefully in case /user/limits failed
@ -267,10 +271,10 @@ location /skynet/tus {
            if require("skynet.account").is_access_forbidden() then
                return require("skynet.account").exit_access_forbidden()
            end
-            
+
            -- get account limits of currently authenticated user
            local limits = require("skynet.account").get_account_limits()
-        
+
            -- apply upload size limits
            ngx.req.set_header("SkynetMaxUploadSize", limits.maxUploadSize)
        end
--- a/docker/nginx/libs/skynet/account.lua
+++ b/docker/nginx/libs/skynet/account.lua
@ -43,12 +43,16 @@ function _M.get_account_limits()

    if ngx.var.account_limits == "" then
        local httpc = require("resty.http").new()
-        
+
        -- 10.10.10.70 points to accounts service (alias not available when using resty-http)
        local res, err = httpc:request_uri("http://10.10.10.70:3000/user/limits", {
-            headers = { ["Cookie"] = "skynet-jwt=" .. ngx.var.skynet_jwt }
+            headers = {
+                ["Cookie"] = "skynet-jwt=" .. ngx.var.skynet_jwt,
+                ["Authorization"] = ngx.header["Authorization"],
+                ["Skynet-Api-Key"] = ngx.header["Skynet-Api-Key"],
+            }
        })
-        
+
        -- fail gracefully in case /user/limits failed
        if err or (res and res.status ~= ngx.HTTP_OK) then
            ngx.log(ngx.ERR, "Failed accounts service request /user/limits: ", err or ("[HTTP " .. res.status .. "] " .. res.body))