Update AuthenticationFilter proposal

[shaun-nx]

Proposed changes

This change updates the AuthenticationFilter proposal.

Changes made:

• Update API validation
• Removal of OnFailure configuration
• Add additional details on functional testing

Details related to AuthFailure are captured in the Stretch Goals section

Closes #4423

Checklist

Before creating a PR, run through this checklist and mark each as complete.

• I have read the CONTRIBUTING doc
• I have added tests that prove my fix is effective or that my feature works
• I have checked that all unit tests pass after adding my changes
• I have updated necessary documentation
• I have rebased my branch onto main
• I will ensure my PR is targeting the main branch and pulling from my branch from my own fork

Release notes

If this PR introduces a change that affects users and needs to be mentioned in the release notes,
please add a brief note that summarizes the change.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 86.22%. Comparing base (89aee48) to head (bb91ce1).
⚠️ Report is 5 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #4424      +/-   ##
==========================================
- Coverage   86.24%   86.22%   -0.02%     
==========================================
  Files         132      132              
  Lines       14566    14566              
  Branches       35       35              
==========================================
- Hits        12562    12560       -2     
- Misses       1791     1793       +2     
  Partials      213      213              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[Copilot]

Pull request overview

This PR updates the AuthenticationFilter proposal by refining the API design, removing the OnFailure configuration from the main spec, and enhancing documentation quality. The changes move AuthFailure customization to stretch goals while improving clarity throughout the proposal.

Key Changes:

• Removed OnFailure configuration from BasicAuth and JWTAuth specs, relocating it to stretch goals
• Enhanced functional testing section with detailed test case scenarios
• Fixed numerous spelling and grammatical errors throughout the document

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated 1 comment.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[tataruty]

i see invalid functional tests for authentication as Authentication failed, and Authentication passed - for valid, means we get a response from the route behind auth filter.
Don't we do this full check in functional tests?

[sjberman]

With our other functional tests, we also verify that the nginx configuration is correct.

[Copilot]

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated no new comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[tataruty]

still cannot understand what is invalid AuthFilter. What do we expect as a result of test? Because i see it as invalid configuration, that to me should be a unit tests and not functional. And as mentioned before i expect here validation of passing/not passing auth while trying to get response

[shaun-nx]

The first line of this section says "This section covers deployment scenarios that are considered invalid"

So for the first test cases, we have a user deploying an HTTP/GRPCroute with a single route rule that is referencing an AuthenticationFilter that is invalid.

In this case, we don't care "how" the AuthenticationFilter that is invalid, we just case that it is invalid, and we are trying to use it. Does that make sense?

[shaun-nx]

The test cases should cover the expected outcomes for each one now. Let me know what you think.

[salonichf5]

There is a couple of places with typos for marked but looks good to me, approving it

[sjberman]

We use a different pattern right now for storing user secrets. For example, /etc/nginx/secrets/cert_bundle_<namespace>_<name>. I think we do something here to avoid the unnecessary nested directories. It doesn't need to be named auth, because we aren't mounting the file, we're sending it and it can be named whatever we want.

Maybe something like /etc/nginx/secrets/basic_auth_<namespace>_<name>

[shaun-nx]

Ah, good to know thanks!

[shaun-nx]

Now that you mention it, we don't actually need to include the key in the file name either since it will be unique enough with the namespace and name.

So we can use /etc/nginx/secrets/<secret-namespace>_<secret-name>

[shaun-nx]

Actually, lets include basic_auth at the start. It'll make debugging easier.

[sjberman]

Same comment as above regarding naming.

[sjberman]

I don't think we verify OpenAPI schema on our other policies, so these can be skipped.

[sjberman]

I'd do a typo pass on this doc again, there are quite a few misspellings.

[sjberman]

This has been an inconsistent lint failure and I'm not sure why. We probably want a separate PR to handle this if needed, not tagged onto a doc update.

[shaun-nx]

Interesting, I didn't notice this file was here in the files changed.
Did the linter remove the //nolint comment? I don't remember doing this myself.

[sjberman]

Hm, it must have. That's odd.