nginx.conf

error_log /dev/stderr info;

events {
  worker_connections 1024;
}

http {
  init_by_lua_block {
    local fernet = require "resty.fernet"
    local key = fernet:generate_key()
    ngx.shared.fernet = fernet:new(key)
  }

  server {
    listen 8080;

    location = /login {
      content_by_lua_block {
        local cjson = require "cjson.safe"
        local json, err = cjson.encode({ username="resty", api_key="secret" })
        if err then
          ngx.log(ngx.ERR, err)
          ngx.exit(ngx.HTTP_INTERNAL_SERVER_ERROR)
        end

        local token, err = ngx.shared.fernet:encrypt(json)
        if err then
          ngx.log(ngx.ERR, err)
          ngx.exit(ngx.HTTP_INTERNAL_SERVER_ERROR)
        end

        ngx.header["Set-Cookie"] = "session=" .. token .. ";"
        ngx.exit(ngx.HTTP_NO_CONTENT)
      }
    }

    location / {
      content_by_lua_block {
        local session_cookie = ngx.var.cookie_session
        if not session_cookie then
          ngx.log(ngx.INFO, "no session cookie")
          ngx.exit(ngx.HTTP_UNAUTHORIZED)
        end

        local json, err = ngx.shared.fernet:decrypt(session_cookie)
        if err then
          ngx.log(ngx.ERR, err)
          ngx.exit(ngx.HTTP_UNAUTHORIZED)
        end

        local cjson = require "cjson.safe"
        local session, err = cjson.decode(json)
        if err then
          ngx.log(ngx.ERR, err)
          ngx.exit(ngx.HTTP_UNAUTHORIZED)
        end
        ngx.log(ngx.INFO, session.api_key)
        ngx.say("Hello " .. session.username)

        -- could store for use in other phases
        -- ngx.ctx.session = session

        ngx.exit(ngx.HTTP_OK)
      }
    }

    location = /health {
      return 204;
    }
  }
}