From 4d61aae1789e42b1d77a502d702b55e2c8755585 Mon Sep 17 00:00:00 2001
From: Elizabeth Martin Campos <me@elizabeth.sh>
Date: Sat, 23 Nov 2024 18:53:18 +0100
Subject: [PATCH] Replace auth cache key generation Lua impl with NJS impl

---
 rootfs/etc/nginx/js/nginx/ngx_conf_rewrite_auth.js | 7 +++++++
 rootfs/etc/nginx/template/nginx.tmpl               | 9 +++++----
 test/e2e/settings/global_external_auth.go          | 6 +-----
 3 files changed, 13 insertions(+), 9 deletions(-)
 create mode 100644 rootfs/etc/nginx/js/nginx/ngx_conf_rewrite_auth.js

diff --git a/rootfs/etc/nginx/js/nginx/ngx_conf_rewrite_auth.js b/rootfs/etc/nginx/js/nginx/ngx_conf_rewrite_auth.js
new file mode 100644
index 0000000000..aa45fe2cae
--- /dev/null
+++ b/rootfs/etc/nginx/js/nginx/ngx_conf_rewrite_auth.js
@@ -0,0 +1,7 @@
+const crypto = require('crypto');
+
+function cache_key(req) {
+    return crypto.createHash('sha1').update(req.variables.tmp_cache_key).digest('base64');
+}
+
+export default { cache_key };
diff --git a/rootfs/etc/nginx/template/nginx.tmpl b/rootfs/etc/nginx/template/nginx.tmpl
index ad41ec7ee7..9717bfc657 100644
--- a/rootfs/etc/nginx/template/nginx.tmpl
+++ b/rootfs/etc/nginx/template/nginx.tmpl
@@ -74,6 +74,10 @@ http {
 
     init_worker_by_lua_file /etc/nginx/lua/ngx_conf_init_worker.lua;
 
+    js_import /etc/nginx/js/nginx/ngx_conf_rewrite_auth.js;
+
+    js_set $njs_cache_key ngx_conf_rewrite_auth.cache_key;
+
     {{/* Enable the real_ip module only if we use either X-Forwarded headers or Proxy Protocol. */}}
     {{/* we use the value of the real IP for the geo_ip module */}}
     {{ if or (or $cfg.UseForwardedHeaders $cfg.UseProxyProtocol) $cfg.EnableRealIP }}
@@ -988,9 +992,6 @@ stream {
 
             {{ if $externalAuth.AuthCacheKey }}
             set $tmp_cache_key '{{ $server.Hostname }}{{ $authPath }}{{ $externalAuth.AuthCacheKey }}';
-            set $cache_key '';
-
-            rewrite_by_lua_file /etc/nginx/lua/nginx/ngx_conf_rewrite_auth.lua;
 
             proxy_cache auth_cache;
 
@@ -998,7 +999,7 @@ stream {
             proxy_cache_valid {{ $dur }};
             {{- end }}
 
-            proxy_cache_key "$cache_key";
+            proxy_cache_key "$njs_cache_key";
             {{ end }}
 
             # ngx_auth_request module overrides variables in the parent request,
diff --git a/test/e2e/settings/global_external_auth.go b/test/e2e/settings/global_external_auth.go
index f589a63e94..425f375fcb 100644
--- a/test/e2e/settings/global_external_auth.go
+++ b/test/e2e/settings/global_external_auth.go
@@ -20,7 +20,6 @@ import (
 	"context"
 	"fmt"
 	"net/http"
-	"regexp"
 	"strings"
 
 	"github.com/onsi/ginkgo/v2"
@@ -169,12 +168,9 @@ var _ = framework.DescribeSetting("[Security] global-auth-url", func() {
 				globalExternalAuthURLSetting:           globalExternalAuthURL,
 			})
 
-			cacheRegex := regexp.MustCompile(`\$cache_key.*foo`)
-
 			f.WaitForNginxServer(host,
 				func(server string) bool {
-					return cacheRegex.MatchString(server) &&
-						strings.Contains(server, `proxy_cache_valid 200 201 401 30m;`)
+					return strings.Contains(server, `proxy_cache_valid 200 201 401 30m;`)
 				})
 
 			f.HTTPTestClient().