JWT still validates token if present in headers even for un-protected route
I'm having issue with JWT middleware even if I mark route with
[AllowAnonymous] if I pass invalid JWT token it still validates token, and if route is not protected example /sign-in, then I do not want those requests to be rejected. It should only check for routes that are protected.
JWT extension code https://paste.ofcode.org/Kv5vPnxcGyryzJ5tbqaAYY3 Replies
Seems solution is just removing
OnAuthenticationFailed and keeping OnChallengeLooks like these events still fire regardless of if
[AllowAnonymous] is present. But I think can check for the presence of the attribute and return early if it exists.I tried that also removing token out of context
In the end, I just kept
OnChallenge and removed OnAuthenticationFailed
Which solves the issue, and it no longer behaves. That way, it will only validate token on protected routes
I think OnAuthenticationFailed was not meant for the usecase I wanted and seemed to fire more than the other one as it always validates