❔ Suppressing ASP0001: AuthorizationMiddleware is incorrectly configured

I am hosting a Blazor server app and a Web API in the same ASP.NET project, and I have set up my routing like this:
app.MapWhen(
ctx => ctx.Request.Path.StartsWithSegments("/api"),
applicationBuilder =>
{
applicationBuilder.UsePathBase("/api");
applicationBuilder.UseRouting();
applicationBuilder.UseMiddleware<SomeApiExclusiveMiddleware>();
applicationBuilder.UseAuthorization();
applicationBuilder.UseEndpoints(endpoints =>
{
endpoints.MapControllers();
});
}
);

app.MapWhen(
ctx => !ctx.Request.Path.StartsWithSegments("/api"),
applicationBuilder =>
{
applicationBuilder.UseRouting();
applicationBuilder.UseAuthorization();
applicationBuilder.UseStaticFiles();
applicationBuilder.UseEndpoints(endpoints =>
{
endpoints.MapBlazorHub();
endpoints.MapRazorPages();
endpoints.MapFallbackToPage("/_Host");
});
}
);
app.MapWhen(
ctx => ctx.Request.Path.StartsWithSegments("/api"),
applicationBuilder =>
{
applicationBuilder.UsePathBase("/api");
applicationBuilder.UseRouting();
applicationBuilder.UseMiddleware<SomeApiExclusiveMiddleware>();
applicationBuilder.UseAuthorization();
applicationBuilder.UseEndpoints(endpoints =>
{
endpoints.MapControllers();
});
}
);

app.MapWhen(
ctx => !ctx.Request.Path.StartsWithSegments("/api"),
applicationBuilder =>
{
applicationBuilder.UseRouting();
applicationBuilder.UseAuthorization();
applicationBuilder.UseStaticFiles();
applicationBuilder.UseEndpoints(endpoints =>
{
endpoints.MapBlazorHub();
endpoints.MapRazorPages();
endpoints.MapFallbackToPage("/_Host");
});
}
);
This is intended so that a request to /api/SomeEndpointThatDoesNotExist returns a plain old 404 instead of going to the Blazor fallback page, and also so that I am not using unnecessary middleware on Blazor requests. It seems to work fine, but on the second call to UseAuthorization I'm getting ASP0001 about it being ordered incorrectly. I am not sure this warning is valid because the calls to .UseAuthorization() are presumably acting on different instances of IApplicationBuilder, but I'm not sure. Is it ok to suppress it? Note that I did try extracting UseRouting() and UseAuthorization(), which are common to both mappings, to before the branch by calling them on the WebApplication directly as app.UseRouting() etc, but this caused all my POST /api requests to return a 400 and GET /api/aaaaaaaa to go to Blazor.
11 Replies
JakenVeina
JakenVeina17mo ago
I'm just here questioning why static files need authorization that's really the source of the warning, here in fact I'm not convinced that UseAuthorization() does ANYTHING in that context cause, really, .UseAuthorization() doesn't do anything, ever it only extracts auth info from the request and/or the lower layers, and populates it into the context it's up to later middleware to actually DO something with that info are any of your razor pages here actually doing auth?
dreadfullydistinct
dreadfullydistinctOP17mo ago
it does have an oauth login yeah could probably move static files lol I'm still working it out I've noticed this actually has issues where any API controller that needs model binding just returns a 400 ... but only in my integration tests, for some reason an actual client works fine. I've started using
this.Client = factory
.CreateClient(
new WebApplicationFactoryClientOptions()
{
BaseAddress = new Uri("http://localhost/api/"),
HandleCookies = false
}
);
this.Client = factory
.CreateClient(
new WebApplicationFactoryClientOptions()
{
BaseAddress = new Uri("http://localhost/api/"),
HandleCookies = false
}
);
JakenVeina
JakenVeina17mo ago
just based on the code itself, nah, that's a bogus warning the thing it's asking you to do, you are, in fact, doing UseAuthorization comes after UseRouting and before UseEndpoints you're fine if you want to just suppress it
dreadfullydistinct
dreadfullydistinctOP17mo ago
thank you extra question -- do you know how I can dive into the asp net logs to work out why it's throwing a 400 for the WebApplicationFactory HttpClient?
JakenVeina
JakenVeina17mo ago
I mean.... not really? but it's not like there's anything to it you should see all the logs already in the VS Debug Output window although, it perhaps looks like you're not using VS? I don't have any advice on what to look for, if that's what you're asking
dreadfullydistinct
dreadfullydistinctOP17mo ago
yeah rider and you are right, it's in the debug output 😛 it's looking for the session cookie
JakenVeina
JakenVeina17mo ago
😉
dreadfullydistinct
dreadfullydistinctOP17mo ago
..... because of my least favourite feature of dotnet where if you have a base address http://localhost/api/ and you POST to /someendpoint, it combines them as http://localhost/someendpoint due to the trailing slash in the endpoint and then it goes to blazor fallback and complains about a missing antiforgery token
JakenVeina
JakenVeina17mo ago
that's standard browser behavior, not something about .NET "/someendpoint" refers to the root domain path "someendpoint" would refer to a path relative to where you currently are or the base path
dreadfullydistinct
dreadfullydistinctOP17mo ago
ahh, I guess it makes sense, but we've still had issues in prod with it 😭
Accord
Accord17mo ago
Was this issue resolved? If so, run /close - otherwise I will mark this as stale and this post will be archived until there is new activity.
Want results from more Discord servers?
Add your server