Add preprocessing to headers before running filter #2327
Comments
|
What do you think about merging both solution options into something like this? {
"feature": {
"network": {
"incoming": {
"mode": "steal",
"http_filter": {
"header_filter": {
"preprocess": "(base64|jwt)",
"jsonPath": "user.email", # optional, default filter to regex if not present
"filter": "[email protected]"
[...]
} |
|
In terms of flexibility/customization it is a nice option, but would make the filter display (in |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Following https://discord.com/channels/933706914808889356/1222476910370750534
User has a case where there's JWT passing as a header, and they want to filter based on the content of the base64-encoded JWT.
Possible solutions
Preprocess base64 only
In this solution, we split
header_filterintoSimplevsAdvancedwhere in advanced user can specify what kind of preprocessing to do to a specific value of a header name. The filter then is running against the value only.Example:
{ "feature": { "network": { "incoming": { "mode": "steal", "http_filter": { "header_filter": { "preprocess": "base64", "name": "X-Auth-Claims", "filter": "email.+example.com" } } } } }, }Drawbacks
JWT Specific filter
In this solution, we add a new option under
http_filtercalledjwt_filter.The
jwt_filteraccepts a header to obtain the JWT header name to be used, then aJSONPathfor value to filter, and regex to run against the value.Example:
{ "feature": { "network": { "incoming": { "mode": "steal", "http_filter": { "jwt_filter": { "header_name": "X-Auth-Claims", "key": "user.email", "filter": "[email protected]$" } } } } } }Would filter when JWT has the following format (after decoding):
{"user": {"email": "[email protected]"}}Drawbacks
The text was updated successfully, but these errors were encountered: