<div dir="ltr"># HG changeset patch<br># User Davood Falahati <<a href="mailto:0x0davood@gmail.com">0x0davood@gmail.com</a>><br># Date 1684446142 -7200<br>#      Thu May 18 23:42:22 2023 +0200<br># Node ID c073e545e1cdcc736f8869a012a78b2dd836eac9<br># Parent  77d5c662f3d9d9b90425128109d3369c30ef5f07<br>Proposal: add the capacity to ngx_http_auth_request_module to return external auth service response body. <div>Why do we need it? Error handling inside mobile/web clients are being disrupted on receiving 401 from external auth service. For instance, external auth service returns 401 response along with an important error message that client should read.</div><div>Why do we need to change the patch? ngx_http_auth_request_module doesn't send the external response body by design. This module intercepts the external auth_request response body and doesn't send it to the client. It lets the admin send a customized error-page, but it doesn't open and read external auth's response body.</div><div><br><div>send external auth service body response to client if auth_request_mask_body flag is off<br><br>diff -r 77d5c662f3d9 -r c073e545e1cd src/http/modules/ngx_http_auth_request_module.c<br>--- a/src/http/modules/ngx_http_auth_request_module.c    Tue Apr 18 06:28:46 2023 +0300<br>+++ b/src/http/modules/ngx_http_auth_request_module.c   Thu May 18 23:42:22 2023 +0200<br>@@ -13,6 +13,7 @@<br> typedef struct {<br>     ngx_str_t                 uri;<br>     ngx_array_t              *vars;<br>+    ngx_flag_t                mask_auth_response_body;<br> } ngx_http_auth_request_conf_t;<br> <br> <br>@@ -63,6 +64,13 @@<br>       0,<br>       NULL },<br> <br>+    { ngx_string("auth_request_mask_body"),<br>+      NGX_HTTP_LOC_CONF | NGX_CONF_TAKE1,<br>+      ngx_conf_set_flag_slot,<br>+      NGX_HTTP_LOC_CONF_OFFSET,<br>+      offsetof(ngx_http_auth_request_conf_t, mask_auth_response_body),<br>+      NULL },<br>+<br>       ngx_null_command<br> };<br> <br>@@ -106,6 +114,8 @@<br>     ngx_http_post_subrequest_t    *ps;<br>     ngx_http_auth_request_ctx_t   *ctx;<br>     ngx_http_auth_request_conf_t  *arcf;<br>+    ngx_buf_t *b;<br>+    ngx_chain_t out, *in;<br> <br>     arcf = ngx_http_get_module_loc_conf(r, ngx_http_auth_request_module);<br> <br>@@ -140,7 +150,36 @@<br> <br>         if (ctx->status == NGX_HTTP_UNAUTHORIZED) {<br>             sr = ctx->subrequest;<br>+            /*<br>+             * send external auth service response body to the client<br>+             */<br>+            if (!arcf->mask_auth_response_body) {<br> <br>+                r->headers_out.content_type = sr->headers_out.content_type;<br>+<br>+                b = ngx_calloc_buf(r->pool);<br>+                if (b == NULL) {<br>+                   return NGX_ERROR;<br>+                }<br>+<br>+                r->headers_out.status = ctx->status;<br>+<br>+                b->last_buf = 1;<br>+                b->last_in_chain = 1;<br>+                b->memory = 1;<br>+<br>+                out.buf = b;<br>+                out.next = NULL;<br>+ <br>+                in = sr->out;<br>+                in->next = &out;<br>+<br>+                ngx_http_send_header(r);<br>+                return ngx_http_output_filter(r, in);<br>+            }<br>+<br>+            return ctx->status;<br>+        }<br>             h = sr->headers_out.www_authenticate;<br> <br>             if (!h && sr->upstream) {<br>@@ -164,8 +203,7 @@<br>                 h = h->next;<br>             }<br> <br>-            return ctx->status;<br>-        }<br>+<br> <br>         if (ctx->status >= NGX_HTTP_OK<br>             && ctx->status < NGX_HTTP_SPECIAL_RESPONSE)<br>@@ -192,9 +230,10 @@<br>     ps->handler = ngx_http_auth_request_done;<br>     ps->data = ctx;<br> <br>+<br>     if (ngx_http_subrequest(r, &arcf->uri, NULL, &sr, ps,<br>-                            NGX_HTTP_SUBREQUEST_WAITED)<br>-        != NGX_OK)<br>+                            arcf->mask_auth_response_body ? NGX_HTTP_SUBREQUEST_WAITED: <br>+                            NGX_HTTP_SUBREQUEST_IN_MEMORY) != NGX_OK)<br>     {<br>         return NGX_ERROR;<br>     }<br>@@ -209,8 +248,10 @@<br>         return NGX_ERROR;<br>     }<br> <br>-    sr->header_only = 1;<br>-<br>+    if (arcf->mask_auth_response_body)<br>+    {<br>+        sr->header_only = 1;<br>+    }<br>     ctx->subrequest = sr;<br> <br>     ngx_http_set_ctx(r, ctx, ngx_http_auth_request_module);<br>@@ -322,6 +363,7 @@<br>      */<br> <br>     conf->vars = NGX_CONF_UNSET_PTR;<br>+    conf->mask_auth_response_body = NGX_CONF_UNSET;<br> <br>     return conf;<br> }<br>@@ -335,6 +377,7 @@<br> <br>     ngx_conf_merge_str_value(conf->uri, prev->uri, "");<br>     ngx_conf_merge_ptr_value(conf->vars, prev->vars, NULL);<br>+    ngx_conf_merge_value(conf->mask_auth_response_body, prev->mask_auth_response_body,1);<br> <br>     return NGX_CONF_OK;<br> }<br></div></div></div>