apisix
apisix copied to clipboard
apache
feat: response-rewrite plugin fine-grained cookie control
Description
The response-rewrite plugin headers feature is currently overridden, resulting in cookies returned upstream being overridden by APISIX.
The add function in the last version of the response-rewrite plugin can also only append the new header to the upstream header.
We need to have more granular control over cookies to meet different user scenarios.
For example, parsing the key-value structure in the upstream set-cookie so that only the value of the key with the same name is overwritten and the upstream cookie is retained.
After talking to @spacewander, the following changes can be made to our plugin.
We can add a new cookie configuration to the response-rewrite plugin to allow cookies to be modified.
The configuration is as follows.
cookies = {
properties = {
set = {
type = "object",
minProperties = 1,
patternProperties = {
["^.*$"] = {
properties = {
value = {type = "string"},
samesite = {enum = {"None", "Lax", "Strict"}},
...
},
}
},
},
remove = {
type = "array",
minItems = 1,
items = {
type = "string",
minLength = 1,
}
},
},
},
The set operation modifies or adds a cookie with the given name, where value is the value of the cookie and parameters such as SameSite are additional options.
The remove operation removes the cookie with the given name.
The order of execution is set followed by remove.
For example, the following configuration would set the cookie named id to a3fWa and delete the cookie idx.
"plugins": {
"response-rewrite": {
"cookies": {
"set": {
"id": {
"value": "a3fWa",
"samesite": "Lax"
}
},
"remove": [
"idx"
]
}
}
},
The cookie manipulation will take place after the header modification, so the original header configuration is not affected.
We can implement the cookie modification function based on the following PR.
https://github.com/cloudflare/lua-resty-cookie/pull/35/files
To delete a cookie, you need to get the current Set-Cookie header, remove the one to be removed and set it back.
Thanks for @spacewander 's support.
Feel free to comment here 😊
For example, parsing the key-value structure in the upstream set-cookie so that only the value of the key with the same name is overwritten and the upstream cookie is retained.
This sentence confuses me. What's the point to mention the upstream cookie? Cookie is a request header, but what you were describing is the response rewrite plugin.
For example, parsing the key-value structure in the upstream set-cookie so that only the value of the key with the same name is overwritten and the upstream cookie is retained.
This sentence confuses me. What's the point to mention the upstream cookie? Cookie is a request header, but what you were describing is the response rewrite plugin.
oh, it should be ..... the upstream set-cookie is retained