How to whitelist paths and/or http verbs?

I’ve added the necessary bits to the server to cope with this. Once it lands you’ll be able to do something like this:

        {
          "type": "noop",
          "pcb": {
            "skip": [
              {
                "query_engine": "jp",
                "query": "$.parentReqInfo.method",
                "rule": {
                  "method": "eq",
                  "value": "POST",
                  "negate": true
                }
              },
              {
                "query_engine": "jp",
                "query": "$.parentReqInfo.parsedUri.path",
                "rule": {
                  "method": "regex",
                  "value": "/^\/foo\//i",
                  "negate": true
                }
              }
            ]
          }
        }

The idea being, if the noop plugin is executed it always returns a 200 and therefore stops the pipeline. Keep in mind that each rule is a logical and so all must pass for the pcb to take effect. In this case it’s slightly confusing because we’re using the negate attribute combined with the fact that it’s a skip procedure (basically a double negative). However, the end result of the above is, this plugin is skipped unless it’s a POST to /foo/... Implicitly noop passes if invoked so if it’s not skipped, then request is allowed. If you want to OR logic of this nature then add multiple noop plugins inside the pipeline.

Having said all that, it’s much easier to use request_js plugin if feasible as the ability to do complex logic can be expressed much easier using pure code.

OK, there are really 2 approaches:

• https://github.com/travisghansen/external-auth-server/blob/master/PLUGINS.md#request_js
• update the amount of info available to the pcb logics

Using request_js already has access to parentReqInfo which includes all the info you would need to check verb, path, etc and make decisions. I’ve already got adding that info to the pcb logic queued up to make it work using that mechanism as well.