Files
2026-07-13 12:32:21 +08:00

301 lines
8.8 KiB
Lua

local typedefs = require "kong.db.schema.typedefs"
local Schema = require "kong.db.schema"
local get_rand_bytes = require("kong.tools.rand").get_rand_bytes
local char = string.char
local rand = math.random
local encode_base64 = ngx.encode_base64
local same_site = Schema.define {
type = "string",
description = "Determines whether and how a cookie may be sent with cross-site requests.",
default = "Strict",
one_of = {
"Strict",
"Lax",
"None",
"Default",
},
}
local headers = Schema.define({
type = "set",
description = "List of information to include, as headers, in the response to the downstream.",
elements = {
type = "string",
one_of = {
"id",
"audience",
"subject",
"timeout",
"idling-timeout",
"rolling-timeout",
"absolute-timeout",
},
},
})
local logout_methods = Schema.define({
type = "set",
description = "A set of HTTP methods that the plugin will respond to.",
elements = {
type = "string",
one_of = { "GET", "POST", "DELETE" },
},
default = { "POST", "DELETE" },
})
--- kong.rand.random_string with 32 bytes instead
-- @returns random string of length 44
local function random_string()
return encode_base64(get_rand_bytes(32, true))
:gsub("/", char(rand(48, 57))) -- 0 - 10
:gsub("+", char(rand(65, 90))) -- A - Z
:gsub("=", char(rand(97, 122))) -- a - z
end
return {
name = "session",
fields = {
{ consumer = typedefs.no_consumer },
{ protocols = typedefs.protocols },
{
config = {
type = "record",
fields = {
{
secret = {
description = "The secret that is used in keyed HMAC generation.",
type = "string",
required = false,
default = random_string(),
encrypted = true, -- Kong Enterprise Exclusive. This does nothing in Kong CE
referenceable = true,
},
},
{
storage = {
description =
"Determines where the session data is stored. `kong`: Stores encrypted session data into Kong's current database strategy; the cookie will not contain any session data. `cookie`: Stores encrypted session data within the cookie itself.",
type = "string",
one_of = { "cookie", "kong" },
default = "cookie"
}
},
{
audience = {
description =
"The session audience, which is the intended target application. For example `\"my-application\"`.",
type = "string",
default = "default"
}
},
{
idling_timeout = {
description = "The session cookie idle time, in seconds.",
type = "number",
default = 900
}
},
{
rolling_timeout = {
description =
"The session cookie rolling timeout, in seconds. Specifies how long the session can be used until it needs to be renewed.",
type = "number",
default = 3600
}
},
{
absolute_timeout = {
description =
"The session cookie absolute timeout, in seconds. Specifies how long the session can be used until it is no longer valid.",
type = "number",
default = 86400
}
},
{
stale_ttl = {
description =
"The duration, in seconds, after which an old cookie is discarded, starting from the moment when the session becomes outdated and is replaced by a new one.",
type = "number",
default = 10
}
},
{
cookie_name = {
description = "The name of the cookie.",
type = "string",
default = "session"
}
},
{
cookie_path = {
description = "The resource in the host where the cookie is available.",
type = "string",
default = "/"
}
},
{
cookie_domain = {
description = "The domain with which the cookie is intended to be exchanged.",
type = "string"
}
},
{
cookie_same_site = same_site,
},
{
cookie_http_only = {
description =
"Applies the `HttpOnly` tag so that the cookie is sent only to a server.",
type = "boolean",
default = true
}
},
{
cookie_secure = {
description =
"Applies the Secure directive so that the cookie may be sent to the server only with an encrypted request over the HTTPS protocol.",
type = "boolean",
default = true
}
},
{
remember = {
description = "Enables or disables persistent sessions.",
type = "boolean",
default = false
}
},
{
remember_cookie_name = {
description = "Persistent session cookie name. Use with the `remember` configuration parameter.",
type = "string",
default = "remember"
}
},
{
remember_rolling_timeout = {
description = "The persistent session rolling timeout window, in seconds.",
type = "number",
default = 604800
}
},
{
remember_absolute_timeout = {
description = "The persistent session absolute timeout limit, in seconds.",
type = "number",
default = 2592000
}
},
{ response_headers = headers },
{ request_headers = headers },
{ read_body_for_logout = { type = "boolean", default = false } },
{ logout_methods = logout_methods },
{
logout_query_arg = {
description = "The query argument passed to logout requests.",
type = "string",
default = "session_logout"
}
},
{
logout_post_arg = {
description = "The POST argument passed to logout requests. Do not change this property.",
type = "string",
default = "session_logout"
}
},
{
hash_subject = {
description = "Whether to hash or not the subject when store_metadata is enabled.",
type = "boolean",
default = false
}
},
{
store_metadata = {
description =
"Whether to also store metadata of sessions, such as collecting data of sessions for a specific audience belonging to a specific subject.",
type = "boolean",
default = false
}
},
},
shorthand_fields = {
-- TODO: deprecated forms, to be removed in Kong 4.0
{
cookie_lifetime = {
type = "number",
func = function(value)
return { rolling_timeout = value }
end,
},
},
{
cookie_idletime = {
type = "number",
func = function(value)
if value == nil or value == ngx.null then
value = 0
end
return { idling_timeout = value }
end,
},
},
{
cookie_renew = {
type = "number",
func = function()
-- session library 4.0.0 calculates this
ngx.log(ngx.INFO, "[session] cookie_renew option does not exists anymore")
end,
},
},
{
cookie_discard = {
type = "number",
func = function(value)
return { stale_ttl = value }
end,
}
},
{
cookie_samesite = {
type = "string",
func = function(value)
if value == "off" then
value = "Lax"
end
return { cookie_same_site = value }
end,
},
},
{
cookie_httponly = {
type = "boolean",
func = function(value)
return { cookie_http_only = value }
end,
},
},
{
cookie_persistent = {
type = "boolean",
func = function(value)
return { remember = value }
end,
}
},
},
},
},
},
}