Netacea · whiteh · Jan 26, 2026 · Jan 26, 2026 · Jan 26, 2026 · Jan 27, 2026
@@ -1,8 +1,7 @@
 name: lua-resty-netacea-build
 on: 
+  workflow_dispatch:
   pull_request:
-    branches:
-      - master
   push:
     branches:
       - master

@@ -0,0 +1,6 @@
+return {
+    ["reporter"] = "html",
+    ["reportfile"] = "luacov.report.html",
+    ["include"] = {"./src/" },
+    runreport = true
+}
@@ -1,16 +1,42 @@
 # lua_resty_netacea
-An Openresty module for easy integration of Netacea services
+An Openresty module for easy integration of Netacea services. This repo is for developing the package. The package can be accessed by the Luarocks package management platform. See the Netacea documentation for making use of the module.
 
-# Building the base image
-All the images used by docker rely on a specific base image being available on your local docker registry. You can ensure you have this by running the following command
-```sh
-docker build -t lua_resty_netacea:latest .
-```
+## Published package
+
+The Netacea package is available on the Luarocks package manager. Publishing is handled by the Netacea team.
+
+## Docker images
+The Dockerfile contains a multi-stage build, including:
+
+| Stage name | Based on | Description |
+| -- | -- | -- |
+| base  |  openresty/openresty:noble | Base image of Openresty with updated packages around openSSL |
+| build | base | Working Openresty instance with Netacea plugin installed using luarocks and rockspec file |
+| test | build | Lua packages installed for testing and linting. Command overridden to run unit tests |
+| lint | test | Command overridden to run luacheck linter and output results | 
+
+The docker compose file is used to mount local files to the right place in the image to support development.
+
+### Run development version
+
+1. Update `./src/conf/nginx.conf` to include Netacea configuration and server configuration. Default is the NGINX instance will just return a static "Hello world" page. See "Configuration" below
+2. `docker-compose up resty`
+3. Access [](http://localhost:8080)
+
+### Run tests
+
+#### Unit tests
+
+Without coverage report: `docker-compose run test`
+With coverage report (sent to stdout) `docker-compose run -e LUACOV_REPORT=1 test [> output.html]`
+
+#### Linter
+
+`docker-compose run linter`
 
-# Running Tests
-`docker-compose build` then `docker-compose run test`
+## Configuration
 
-## nginx.conf - mitigate
+### nginx.conf - mitigate
 ```
 worker_processes 1;
 
@@ -57,7 +83,7 @@ http {
 }
 ```
 
-## nginx.conf - inject
+### nginx.conf - inject
 ```
 worker_processes 1;
 

@@ -30,6 +30,8 @@ services:
     volumes:
       - "./src:/usr/src/src"
       - "./test:/usr/src/test"
+      - "./run_lua_tests.sh:/usr/src/run_lua_tests.sh"
+      - ".luacov:/usr/src/.luacov"
 
   lint:
     build:

@@ -1,80 +1,7 @@
-# sh /docker/pull-changes.sh
 
-OPENRESTY="/usr/local/openresty"
-RESTY="${OPENRESTY}/bin/resty"
-WD="${OPENRESTY}/nginx"
-BASE_DIR="/usr/src"
-TEST_DIR="${BASE_DIR}/test"
-
-STATS_FILE="luacov.stats.out"
-STATS_SRC="${TEST_DIR}/${STATS_FILE}"
-REPORT_FILE="luacov.report.out"
-REPORT_SRC="${TEST_DIR}/${REPORT_FILE}"
-
-EXIT_CODE=0
-
-################################################################################
-
-OPT_PROCESS_STATS=0
-OPT_EARLY_EXIT=1
-
-while getopts "s" opt; do
-    case $opt in
-        s) OPT_PROCESS_STATS=1;;
-        \?) echo "invalid argument";;
-    esac
-done
-
-################################################################################
-
-function exit_script {
-    echo ""
-    echo "END TESTS"
-    echo ""
-    echo "coverage stats file: ${STATS_SRC}"
-    end_tests
-    echo $1
-    exit $1
-}
-
-function end_tests {
-  echo "done"
-    # if [ $OPT_PROCESS_STATS -eq 1 ]; then
-    #     cd $TEST_DIR
-    #     (luacov)
-    #     echo "coverage report file: ${REPORT_SRC}"
-    # fi
-}
-
- ################################################################################
-
-echo ""
-echo "BEGIN TESTS"
-echo ""
-
-cd $TEST_DIR
-PREV=$(pwd)
-
-files=$(find . -name '*.test.lua')
-
-while read line; do
-    echo " -- TEST FILE: ${line}"
-    DIR=$(dirname "${line}")
-    FILE=$(basename "${line}")
-
-    onlytag=""
-    grep '#only' "${line}" && onlytag="--tags='only'"
-
-    bash -c "$RESTY $line --exclude-tags='skip' ${onlytag}"
-    RES=$?
-
-    if [ $RES -ne 0 ]; then
-        EXIT_CODE=$RES
-        if [ $OPT_EARLY_EXIT -eq 1 ]; then break; fi
-    fi
-
-    cd "$PREV"
-    echo ""
-done <<< "$files"
-
-exit_script $EXIT_CODE
+if [ "$LUACOV_REPORT" = "1" ]; then
+    busted --coverage-config-file ./.luacov --coverage ./test >&2
+    cat ./luacov.report.html
+else
+    busted ./test
+fi
@@ -4,6 +4,7 @@ local Ingest = require("lua_resty_netacea_ingest")
 local netacea_cookies = require('lua_resty_netacea_cookies_v3')
 local utils = require("netacea_utils")
 local protector_client = require("lua_resty_netacea_protector_client")
+local Constants = require("lua_resty_netacea_constants")
 
 local _N = {}
 _N._VERSION = '0.2.2'

@@ -1,4 +1,4 @@
-Constants = {}
+local Constants = {}
 
 Constants['idTypesText'] = {}
 Constants['idTypes'] = {

@@ -49,6 +49,7 @@ end
 
 
 function NetaceaCookies.generateNewCookieValue(secretKey, client, user_id, cookie_id, issue_reason, issue_timestamp, grace_period, match, mitigation, captcha, settings)
+    settings = settings or {}
     local plaintext = ngx.encode_args({
         cip = client,
         uid = user_id,
@@ -105,7 +106,18 @@ function NetaceaCookies.parseMitataCookie(cookie, secretKey)
         end
     end
 
-    if tonumber(decoded.ist) + tonumber(decoded.grp) < ngx.time() then
+    -- Validate numeric fields
+    local ist = tonumber(decoded.ist)
+    local grp = tonumber(decoded.grp)
+
+    if not ist or not grp then
+        return {
+            valid = false,
+            reason = constants['issueReasons'].INVALID_SESSION
+        }
+    end
+
+    if ist + grp < ngx.time() then
         return {
             valid = false,
             user_id = decoded.uid,

@@ -0,0 +1,3 @@
+-- Some QOL patches for warnings from g_write_guard.
+-- See https://github.com/openresty/lua-nginx-module/issues/1558#issuecomment-512360451
+rawset(_G, 'lfs', false) -- silence g_write_guard about lfs module in busted