From ed274f2c6fb14f5a1a29ec8f19adeae45c5348fc Mon Sep 17 00:00:00 2001
From: Akshay Mankar <akshay@wire.com>
Date: Tue, 30 Jul 2024 14:41:42 +0200
Subject: [PATCH 1/2] nginx-zauth-module: Do not try to read the access token
 from query params

---
 .../nginx-zauth-module/zauth_module.c         | 28 -------------------
 1 file changed, 28 deletions(-)

diff --git a/services/nginz/third_party/nginx-zauth-module/zauth_module.c b/services/nginz/third_party/nginx-zauth-module/zauth_module.c
index 6c8db823b43..5cb282fff7e 100644
--- a/services/nginz/third_party/nginx-zauth-module/zauth_module.c
+++ b/services/nginz/third_party/nginx-zauth-module/zauth_module.c
@@ -49,7 +49,6 @@ static ngx_int_t zauth_and_oauth_handle_request (ngx_http_request_t *);
 
 // Request Inspection
 static ZauthResult    token_from_header    (ngx_str_t const *, ZauthToken **);
-static ZauthResult    token_from_query     (ngx_str_t const *, ZauthToken **);
 static ZauthContext * alloc_zauth_context  (ngx_http_request_t * r, ZauthToken *);
 static ZauthContext * alloc_oauth_context  (ngx_http_request_t * r, char *);
 static ngx_int_t      setup_zauth_context  (ngx_http_request_t * , ZauthContext *);
@@ -455,17 +454,6 @@ static ngx_int_t zauth_parse_request (ngx_http_request_t * r) {
 
         if (r->headers_in.authorization != NULL) {
                 res = token_from_header(&r->headers_in.authorization->value, &tkn);
-        } else if (r->args.len > 0) {
-                ngx_str_t query;
-                query.data = ngx_pnalloc(r->pool, r->args.len);
-                if (query.data == NULL) {
-                        return NGX_ERROR;
-                }
-                u_char* writer = query.data;
-                u_char* reqargs = r->args.data;
-                ngx_unescape_uri(&writer, &reqargs, r->args.len, 0);
-                query.len = writer - query.data;
-                res = token_from_query(&query, &tkn);
         } else {
                 ngx_str_t name   = ngx_string("zprovider");
                 ngx_str_t cookie = ngx_null_string;
@@ -502,22 +490,6 @@ static ZauthResult token_from_header (ngx_str_t const * hdr, ZauthToken ** t) {
         }
 }
 
-static ZauthResult token_from_query (ngx_str_t const * query, ZauthToken ** t) {
-        uint8_t const * start = memmem(query->data, query->len, "access_token=", 13);
-
-        if (start == NULL) {
-                return ZAUTH_PARSE_ERROR;
-        }
-
-        uint8_t const * token_start = start + 13; // length of "access_token="
-        size_t          token_len   = query->len - (token_start - query->data);
-        uint8_t const * token_end   = memchr(token_start, '&', token_len);
-
-        return token_end == NULL
-                ? zauth_token_parse(token_start, token_len, t)
-                : zauth_token_parse(token_start, token_end - token_start, t);
-}
-
 // Variables ////////////////////////////////////////////////////////////////
 
 static ngx_int_t zauth_variables (ngx_conf_t * conf) {

From 9cc1fe1231be7848555099af3ce5e9af9daa1b8d Mon Sep 17 00:00:00 2001
From: Akshay Mankar <akshay@wire.com>
Date: Tue, 30 Jul 2024 14:43:57 +0200
Subject: [PATCH 2/2] changelog

---
 changelog.d/1-api-changes/nginz-no-query-params | 2 ++
 1 file changed, 2 insertions(+)
 create mode 100644 changelog.d/1-api-changes/nginz-no-query-params

diff --git a/changelog.d/1-api-changes/nginz-no-query-params b/changelog.d/1-api-changes/nginz-no-query-params
new file mode 100644
index 00000000000..3bbae50609a
--- /dev/null
+++ b/changelog.d/1-api-changes/nginz-no-query-params
@@ -0,0 +1,2 @@
+Passing the access_token in the query params is not supported anymore. Please
+use the `Authorization` header to specify the token.
\ No newline at end of file