Fix require_success ignoring body active value

m7moud · m7moud · commit 6292c217d1f9 · 2020-11-30T19:33:43.000+01:00
diff --git a/README.md b/README.md
@@ -15,11 +15,13 @@ Plugin is protecting Kong API service/route with introspection of Oauth2.0 JWT a
 | `config.client_id`                | | **Required**. Client ID |
 | `config.client_secret`            | | **Required**. Client secret |
 | `config.token_header`             | Authorization | Name of api-request header containing access token |
-| `config.token_query`              | token | Name of query parameter containing access token |
+| `config.token_query`              | token | Name of query parameter containing access token, only if `token_header` value was missing |
 | `config.require_success`          | true | Require a successful introspection before proxying the request, if false `token_header` existance will not be required |
 | `config.token_cache_time`         | 0 | Cache TTL for every token introspection result(0 - no cache) |
 | `config.introspection_map`        | | External introspection response `body` and `headers` mapped to request headers, also `static` for fixed strings |
 
 ## How to install
 
-**1.1.0** `luarocks install https://raw.githubusercontent.com/medwing/kong-token-introspection/master/access-token-introspection-1.1.0-0.rockspec`
+**1.1.0** `luarocks install https://raw.githubusercontent.com/medwing/kong-token-introspection/v1.1.0/access-token-introspection-1.1.0-0.rockspec`
+
+**1.1.1** `luarocks install https://raw.githubusercontent.com/medwing/kong-token-introspection/v1.1.1/access-token-introspection-1.1.1-0.rockspec`
diff --git a/access-token-introspection-1.1.1-0.rockspec b/access-token-introspection-1.1.1-0.rockspec
@@ -1,9 +1,9 @@
 package = "access-token-introspection"
-version = "1.1.0-0"
+version = "1.1.1-0"
 
 source = {
   url = "git://github.com/medwing/kong-token-introspection",
-  tag = "v1.1.0"
+  tag = "v1.1.1"
 }
 
 description = {
diff --git a/kong/plugins/access-token-introspection/access.lua b/kong/plugins/access-token-introspection/access.lua
@@ -24,7 +24,7 @@ function _M.introspect_access_token_req(access_token)
     })
 
     if not res then
-        return { status = 0 }
+        return nil
     end
 
     return {
@@ -45,8 +45,7 @@ function _M.introspect_access_token(access_token)
             _M.error_response("Unexpected error: " .. err, ngx.HTTP_INTERNAL_SERVER_ERROR)
         end
         -- not 200 response status isn't valid for normal caching
-        -- TODO:optimisation
-        if res.status ~= 200 then
+        if not res or res.status ~= 200 then
             kong.cache:invalidate(cache_id)
         end
 
@@ -81,7 +80,7 @@ function _M.run(conf)
         _M.error_response("Authorization server error.", ngx.HTTP_INTERNAL_SERVER_ERROR)
     end
 
-    if _M.conf.require_success and res.status ~= 200 then
+    if _M.conf.require_success and (res.status ~= 200 or res.body["active"] ~= true) then
         _M.error_response("The resource owner or authorization server denied the request.", ngx.HTTP_UNAUTHORIZED)
     end
 
