fix: clear authz related headers for Katsu public endpoints

bento-platform · Aug 5, 2024 · da22a6e · da22a6e
1 parent 320d6f8
commit da22a6e
Showing 1 changed file with 5 additions and 0 deletions.
diff --git a/src/proxy_auth_v2.lua b/src/proxy_auth_v2.lua
@@ -67,6 +67,11 @@ if req_method == "GET" and (
   req_uri_no_qp == "/api/metadata/api/public_dataset" or
   req_uri_no_qp == "/api/metadata/api/public_rules"
 ) then
+  -- Clear possible Katsu authorization injections for old remote user middleware
+  ngx.req.clear_header("X-User")
+  ngx.req.clear_header("X-User-Role")
+  ngx.req.clear_header("X-Authorization")
+
   goto script_end
 end