C
C#11mo ago
dreadfullydistinct

❔ Suppressing ASP0001: AuthorizationMiddleware is incorrectly configured

I am hosting a Blazor server app and a Web API in the same ASP.NET project, and I have set up my routing like this: 
app.MapWhen(
    ctx => ctx.Request.Path.StartsWithSegments("/api"),
    applicationBuilder =>
    {
        applicationBuilder.UsePathBase("/api");
        applicationBuilder.UseRouting();
        applicationBuilder.UseMiddleware<SomeApiExclusiveMiddleware>();
        applicationBuilder.UseAuthorization();
        applicationBuilder.UseEndpoints(endpoints =>
        {
            endpoints.MapControllers();
        });
    }
);

app.MapWhen(
    ctx => !ctx.Request.Path.StartsWithSegments("/api"),
    applicationBuilder =>
    {
        applicationBuilder.UseRouting();
        applicationBuilder.UseAuthorization();
        applicationBuilder.UseStaticFiles();
        applicationBuilder.UseEndpoints(endpoints =>
        {
            endpoints.MapBlazorHub();
            endpoints.MapRazorPages();
            endpoints.MapFallbackToPage("/_Host");
        });
    }
);
app.MapWhen(
    ctx => ctx.Request.Path.StartsWithSegments("/api"),
    applicationBuilder =>
    {
        applicationBuilder.UsePathBase("/api");
        applicationBuilder.UseRouting();
        applicationBuilder.UseMiddleware<SomeApiExclusiveMiddleware>();
        applicationBuilder.UseAuthorization();
        applicationBuilder.UseEndpoints(endpoints =>
        {
            endpoints.MapControllers();
        });
    }
);

app.MapWhen(
    ctx => !ctx.Request.Path.StartsWithSegments("/api"),
    applicationBuilder =>
    {
        applicationBuilder.UseRouting();
        applicationBuilder.UseAuthorization();
        applicationBuilder.UseStaticFiles();
        applicationBuilder.UseEndpoints(endpoints =>
        {
            endpoints.MapBlazorHub();
            endpoints.MapRazorPages();
            endpoints.MapFallbackToPage("/_Host");
        });
    }
);
This is intended so that a request to /api/SomeEndpointThatDoesNotExist returns a plain old 404 instead of going to the Blazor fallback page, and also so that I am not using unnecessary middleware on Blazor requests. It seems to work fine, but on the second call to UseAuthorization I'm getting ASP0001 about it being ordered incorrectly. I am not sure this warning is valid because the calls to .UseAuthorization() are presumably acting on different instances of IApplicationBuilder, but I'm not sure. Is it ok to suppress it? Note that I did try extracting UseRouting() and UseAuthorization(), which are common to both mappings, to before the branch by calling them on the WebApplication directly as app.UseRouting() etc, but this caused all my POST /api requests to return a 400 and GET /api/aaaaaaaa to go to Blazor.
11 Replies
JakenVeina
JakenVeina11mo ago
I'm just here questioning why static files need authorization that's really the source of the warning, here in fact I'm not convinced that UseAuthorization() does ANYTHING in that context cause, really, .UseAuthorization() doesn't do anything, ever it only extracts auth info from the request and/or the lower layers, and populates it into the context it's up to later middleware to actually DO something with that info are any of your razor pages here actually doing auth?
dreadfullydistinct
dreadfullydistinct11mo ago
it does have an oauth login yeah could probably move static files lol I'm still working it out I've noticed this actually has issues where any API controller that needs model binding just returns a 400 ... but only in my integration tests, for some reason an actual client works fine. I've started using 
this.Client = factory
            .CreateClient(
                new WebApplicationFactoryClientOptions()
                {
                    BaseAddress = new Uri("http://localhost/api/"),
                    HandleCookies = false
                }
            );
this.Client = factory
            .CreateClient(
                new WebApplicationFactoryClientOptions()
                {
                    BaseAddress = new Uri("http://localhost/api/"),
                    HandleCookies = false
                }
            );
JakenVeina
JakenVeina11mo ago
just based on the code itself, nah, that's a bogus warning the thing it's asking you to do, you are, in fact, doing UseAuthorization comes after UseRouting and before UseEndpoints you're fine if you want to just suppress it
dreadfullydistinct
dreadfullydistinct11mo ago
thank you extra question -- do you know how I can dive into the asp net logs to work out why it's throwing a 400 for the WebApplicationFactory HttpClient?
JakenVeina
JakenVeina11mo ago
I mean.... not really? but it's not like there's anything to it you should see all the logs already in the VS Debug Output window although, it perhaps looks like you're not using VS? I don't have any advice on what to look for, if that's what you're asking
dreadfullydistinct
dreadfullydistinct11mo ago
yeah rider and you are right, it's in the debug output 😛 it's looking for the session cookie
JakenVeina
JakenVeina11mo ago
😉
dreadfullydistinct
dreadfullydistinct11mo ago
..... because of my least favourite feature of dotnet where if you have a base address http://localhost/api/ and you POST to /someendpoint, it combines them as http://localhost/someendpoint due to the trailing slash in the endpoint and then it goes to blazor fallback and complains about a missing antiforgery token
JakenVeina
JakenVeina11mo ago
that's standard browser behavior, not something about .NET "/someendpoint" refers to the root domain path "someendpoint" would refer to a path relative to where you currently are or the base path
dreadfullydistinct
dreadfullydistinct11mo ago
ahh, I guess it makes sense, but we've still had issues in prod with it 😭
Accord
Accord11mo ago
Was this issue resolved? If so, run /close - otherwise I will mark this as stale and this post will be archived until there is new activity.
Want results from more Discord servers?
Add your server
More Posts
❔ Spreadsheet option for a dict / class? (visual studio)I finally set a bunch of stuff up and their working correctly, huzah! Now, i have a dictionary that❔ Constant string value for discriminator using SwashbuckleI've spent hours Googling around and testing. I have a simple table-per-hierarchy pattern going on. ❔ Entity Framework 7 model property as enum is giving conflicts when running migrationI'm trying to create a many to many "pivot" model where it haves 2 fields "GroupId" and "Subscriptio❔ Is there a way to make this neater?``` public void AddTags(string tag) { Tags?.Add(tag); Tags = Tags; } ❔ Is it Possible to Consume a Queue Message by Multiple Consumers ( RabbitMQ & MassTransit ) ?Hi friends, I'm working on a project using `Microservices` architecture, I have `AuthService`, `Exp❔ ClicksI know how to make it so that when a user clicks a picturebox it adds 1 'click' to a label, but how ❔ FRUSTRATIONI'm having the worst time trying to figure out why I'm getting a Error while compiling: IslandPatrol❔ Im gonna lose my fucking mind over this❔ ASP.NET always validates invalid JWTI have a custom configuration for Asp.net where the JWT Token is stored in an http-only cookie, beca❔ Class with Func<> and class initializersIf I define a class with members to be passed to known create type functions how do I set the Func<>