feat(jwe-decrypt): remove server-side token generation endpoint#13464
Open
shreemaan-abhishek wants to merge 2 commits into
Open
feat(jwe-decrypt): remove server-side token generation endpoint#13464shreemaan-abhishek wants to merge 2 commits into
shreemaan-abhishek wants to merge 2 commits into
Conversation
The /apisix/plugin/jwe/encrypt endpoint registered by the jwe-decrypt plugin was an unfinished dev helper: the IV generation still carried a "TODO: random bytes" placeholder and fell back to a fixed value. A gateway should decrypt JWEs, not mint them; token issuance belongs in the service that owns the consumer secret. Remove the endpoint, its handler (gen_token), and the jwe_encrypt helper, and update docs and tests accordingly. The decrypt path (_M.rewrite) is unchanged.
dosubot
Bot
added
the
size:L
There was a problem hiding this comment.
Pull request overview
This PR removes the unfinished server-side JWE token generation endpoint (/apisix/plugin/jwe/encrypt) that was previously registered by the jwe-decrypt plugin, keeping the plugin focused on decryption-only behavior. It updates plugin docs and adjusts tests to no longer depend on runtime token minting.
Changes:
- Removed the JWE encryption helper and API endpoint from
apisix/plugins/jwe-decrypt.lua. - Updated English and Chinese plugin documentation to describe offline token generation and removed references to exposing the encrypt endpoint via
public-api. - Updated the
t/plugin/jwe-decrypt.ttest suite to avoid calling the removed endpoint and to use precomputed tokens where needed.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
apisix/plugins/jwe-decrypt.lua |
Removes the server-side token minting endpoint/handler and related encryption helper. |
t/plugin/jwe-decrypt.t |
Removes endpoint-driven tests and switches to precomputed tokens; should add a regression test to assert the endpoint stays removed. |
docs/en/latest/plugins/jwe-decrypt.md |
Removes endpoint exposure instructions and documents offline token structure; should explicitly note AES-GCM IV requirements. |
docs/zh/latest/plugins/jwe-decrypt.md |
Same as English docs; should explicitly note AES-GCM IV requirements. |
Comments suppressed due to low confidence (1)
t/plugin/jwe-decrypt.t:494
- The PR removes the
/apisix/plugin/jwe/encryptendpoint, but the test suite no longer has a regression test proving that exposing the path viapublic-apiyields 404 (i.e., that the plugin no longer registers an API route). Adding such a test will prevent accidental reintroduction of the endpoint.
=== TEST 21: verify in upstream header
--- request
GET /headers
--- more_headers
Authorization: eyJhbGciOiJkaXIiLCJraWQiOiJ1c2VyLWtleSIsImVuYyI6IkEyNTZHQ00ifQ..MTIzNDU2Nzg5MDEy._0DrWD0.vl-ydutnNuMpkYskwNqu-Q
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Address review feedback: - State that the IV must be unique and randomly generated per token, and regenerate the doc example token with a random IV so the example models correct usage. - Cover the second consumer secret in the no_error_log assertion of the consumer-deletion test.
nic-6443
approved these changes
Jun 4, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
The
/apisix/plugin/jwe/encryptendpoint registered by thejwe-decryptplugin was an unfinished dev helper: the IV generation still carried a-- TODO: random bytesplaceholder and fell back to a fixed value. A gateway should decrypt JWEs, not mint them; token issuance belongs in the service that owns the consumer secret.This PR removes the endpoint, its handler (
gen_token), and thejwe_encrypthelper, and updates docs and tests accordingly. The decrypt path (_M.rewrite) is unchanged.Operators who need to generate tokens for testing can mint them offline with any AES-256-GCM library; the updated docs describe the token structure for doing so.
Note: this removes a documented endpoint. Deployments that exposed it via the
public-apiplugin to mint tokens at runtime will need to switch to offline token generation.Which issue(s) this PR fixes:
None
Checklist