Nginx passes Skynet-Api-Key and Authorization headers at all spots where it passes the Cookie header.

This commit is contained in:
Ivaylo Novakov 2022-03-10 18:11:37 +01:00
parent 061770a95a
commit 2db648b0ad
No known key found for this signature in database
GPG Key ID: 06B9354AB08BE9C6
5 changed files with 31 additions and 11 deletions

View File

@ -11,7 +11,11 @@ log_by_lua_block {
-- 10.10.10.70 points to accounts service (alias not available when using resty-http) -- 10.10.10.70 points to accounts service (alias not available when using resty-http)
local res, err = httpc:request_uri("http://10.10.10.70:3000/track/download/" .. skylink .. "?" .. query, { local res, err = httpc:request_uri("http://10.10.10.70:3000/track/download/" .. skylink .. "?" .. query, {
method = "POST", method = "POST",
headers = { ["Cookie"] = "skynet-jwt=" .. jwt }, headers = {
["Cookie"] = "skynet-jwt=" .. jwt,
["Authorization"] = ngx.header["Authorization"],
["Skynet-Api-Key"] = ngx.header["Skynet-Api-Key"],
},
}) })
if err or (res and res.status ~= ngx.HTTP_NO_CONTENT) then if err or (res and res.status ~= ngx.HTTP_NO_CONTENT) then

View File

@ -7,16 +7,20 @@ log_by_lua_block {
local httpc = require("resty.http").new() local httpc = require("resty.http").new()
-- based on request method we assign a registry action string used -- based on request method we assign a registry action string used
-- in track endpoint namely "read" for GET and "write" for POST -- in track endpoint namely "read" for GET and "write" for POST
local registry_action = request_method == "GET" and "read" or "write" local registry_action = request_method == "GET" and "read" or "write"
-- 10.10.10.70 points to accounts service (alias not available when using resty-http) -- 10.10.10.70 points to accounts service (alias not available when using resty-http)
local res, err = httpc:request_uri("http://10.10.10.70:3000/track/registry/" .. registry_action, { local res, err = httpc:request_uri("http://10.10.10.70:3000/track/registry/" .. registry_action, {
method = "POST", method = "POST",
headers = { ["Cookie"] = "skynet-jwt=" .. jwt }, headers = {
["Cookie"] = "skynet-jwt=" .. jwt,
["Authorization"] = ngx.header["Authorization"],
["Skynet-Api-Key"] = ngx.header["Skynet-Api-Key"],
},
}) })
if err or (res and res.status ~= ngx.HTTP_NO_CONTENT) then if err or (res and res.status ~= ngx.HTTP_NO_CONTENT) then
ngx.log(ngx.ERR, "Failed accounts service request /track/registry/" .. registry_action .. ": ", err or ("[HTTP " .. res.status .. "] " .. res.body)) ngx.log(ngx.ERR, "Failed accounts service request /track/registry/" .. registry_action .. ": ", err or ("[HTTP " .. res.status .. "] " .. res.body))
end end

View File

@ -10,7 +10,11 @@ log_by_lua_block {
-- 10.10.10.70 points to accounts service (alias not available when using resty-http) -- 10.10.10.70 points to accounts service (alias not available when using resty-http)
local res, err = httpc:request_uri("http://10.10.10.70:3000/track/upload/" .. skylink, { local res, err = httpc:request_uri("http://10.10.10.70:3000/track/upload/" .. skylink, {
method = "POST", method = "POST",
headers = { ["Cookie"] = "skynet-jwt=" .. jwt }, headers = {
["Cookie"] = "skynet-jwt=" .. jwt,
["Authorization"] = ngx.header["Authorization"],
["Skynet-Api-Key"] = ngx.header["Skynet-Api-Key"],
},
}) })
if err or (res and res.status ~= ngx.HTTP_NO_CONTENT) then if err or (res and res.status ~= ngx.HTTP_NO_CONTENT) then

View File

@ -178,7 +178,11 @@ location /skynet/registry/subscription {
-- fetch account limits and set download bandwidth and registry delays accordingly -- fetch account limits and set download bandwidth and registry delays accordingly
local res, err = httpc:request_uri("http://10.10.10.70:3000/user/limits", { local res, err = httpc:request_uri("http://10.10.10.70:3000/user/limits", {
headers = { ["Cookie"] = "skynet-jwt=" .. ngx.var.skynet_jwt } headers = {
["Cookie"] = "skynet-jwt=" .. ngx.var.skynet_jwt,
["Authorization"] = ngx.header["Authorization"],
["Skynet-Api-Key"] = ngx.header["Skynet-Api-Key"],
}
}) })
-- fail gracefully in case /user/limits failed -- fail gracefully in case /user/limits failed
@ -267,10 +271,10 @@ location /skynet/tus {
if require("skynet.account").is_access_forbidden() then if require("skynet.account").is_access_forbidden() then
return require("skynet.account").exit_access_forbidden() return require("skynet.account").exit_access_forbidden()
end end
-- get account limits of currently authenticated user -- get account limits of currently authenticated user
local limits = require("skynet.account").get_account_limits() local limits = require("skynet.account").get_account_limits()
-- apply upload size limits -- apply upload size limits
ngx.req.set_header("SkynetMaxUploadSize", limits.maxUploadSize) ngx.req.set_header("SkynetMaxUploadSize", limits.maxUploadSize)
end end

View File

@ -43,12 +43,16 @@ function _M.get_account_limits()
if ngx.var.account_limits == "" then if ngx.var.account_limits == "" then
local httpc = require("resty.http").new() local httpc = require("resty.http").new()
-- 10.10.10.70 points to accounts service (alias not available when using resty-http) -- 10.10.10.70 points to accounts service (alias not available when using resty-http)
local res, err = httpc:request_uri("http://10.10.10.70:3000/user/limits", { local res, err = httpc:request_uri("http://10.10.10.70:3000/user/limits", {
headers = { ["Cookie"] = "skynet-jwt=" .. ngx.var.skynet_jwt } headers = {
["Cookie"] = "skynet-jwt=" .. ngx.var.skynet_jwt,
["Authorization"] = ngx.header["Authorization"],
["Skynet-Api-Key"] = ngx.header["Skynet-Api-Key"],
}
}) })
-- fail gracefully in case /user/limits failed -- fail gracefully in case /user/limits failed
if err or (res and res.status ~= ngx.HTTP_OK) then if err or (res and res.status ~= ngx.HTTP_OK) then
ngx.log(ngx.ERR, "Failed accounts service request /user/limits: ", err or ("[HTTP " .. res.status .. "] " .. res.body)) ngx.log(ngx.ERR, "Failed accounts service request /user/limits: ", err or ("[HTTP " .. res.status .. "] " .. res.body))