Complain if auth hasn't been set up correctly #9181
Conversation
pranavkm
requested review from
analogrelay,
jkotalik and
Tratcher
as code owners
|
Plain text benchmarks:
Auth one is a likely worse than normal since I was manually signing in every request. |
|
cc @davidfowl |
Eilon
added
area-mvc
pranavkm
requested review from
BrennanConroy,
halter73 and
mikaelm12
as code owners
| @@ -4,7 +4,7 @@ | |||
| namespace Microsoft.AspNetCore.Authorization | |||
| { | |||
| /// <summary> | |||
| /// Marker interface to enable the <see cref="AllowAnonymousAttribute"/>. | |||
| /// Marker interface to allow anonymous. | |||
There was a problem hiding this comment.
Do you have suggestions on what we could do to make this better?
There was a problem hiding this comment.
| /// Marker interface to allow anonymous. | |
| /// Marker interface to allow access to anonymous users. |
maybe?
| @@ -11,6 +14,9 @@ namespace Microsoft.AspNetCore.Routing | |||
| { | |||
| internal sealed class EndpointMiddleware | |||
| { | |||
| internal const string AuthorizationMiddlewareInvokedKey = "__AuthorizationMiddlewareInvoked"; | |||
There was a problem hiding this comment.
I wonder if these should be features... Then we could back them by fields in Kestrel and avoid the dictionary look up altogether
There was a problem hiding this comment.
Is it possible to use mvc without ever initilizing Items? Most middleware use features instead. Note adding a feature would reset the version cache.
There was a problem hiding this comment.
Is it possible to use mvc without ever initilizing Items?
MVC uses it in a couple of places (https://github.com/aspnet/AspNetCore/blob/c565386a3ed135560bc2e9017aa54a950b4e35dd/src/Mvc/Mvc.Core/src/Routing/UrlHelperFactory.cs, https://github.com/aspnet/AspNetCore/blob/c565386a3ed135560bc2e9017aa54a950b4e35dd/src/Mvc/Mvc.ViewFeatures/src/Filters/SaveTempDataFilter.cs#L34) so generally you'd see it initialized if MVC is involved.
| private static void ThrowMissingAuthMiddlewareException(Endpoint endpoint) | ||
| { | ||
| throw new InvalidOperationException($"Endpoint {endpoint.DisplayName} contains authorization metadata, " + | ||
| "but a middleware was not found that supports authorization."); |
There was a problem hiding this comment.
We say "a middleware", but we really require middleware that sets AuthorizationMiddlewareInvokedKey.
Is this a problem for people who think that they can implement their own middleware to fix this problem? I think this exception could explicitly say .UseAuthorization() is required. It is the only middleware that knows to set AuthorizationMiddlewareInvokedKey
The alternative is providing a more first class way of saying that auth has run for the request.
There was a problem hiding this comment.
The error message is a bit more explicit about what to do resolve it and includes a line saying you could add auth.
The alternative is providing a more first class way of saying that auth has run for the request.
We could add a gesture for this or turn it in to a feature with settable properties. Either of these seem viable to me
pranavkm
force-pushed
the
prkrishn/auth-check
branch
from
8ce2ba7 to
6e1bf58
Compare
| @@ -73,17 +77,33 @@ public void ConfigureServices(IServiceCollection services) | |||
| { | |||
| OnMessageReceived = context => | |||
| { | |||
| var signalRTokenHeader = context.Request.Query["access_token"]; | |||
| var endpoint = context.HttpContext.Features.Get<IEndpointFeature>()?.Endpoint; | |||
There was a problem hiding this comment.
Auth currently runs twice in SignalR (#9216). Perhaps it would be safer to leave that be in preview4. This particular change was the result of the WebSocketMiddleware not having run prior to endpoint routing - consequently the check context.HttpContext.WebSockets.IsWebSocketRequest failed.
|
🆙 📅 |
| @@ -73,17 +77,33 @@ public void ConfigureServices(IServiceCollection services) | |||
| { | |||
| OnMessageReceived = context => | |||
| { | |||
| var signalRTokenHeader = context.Request.Query["access_token"]; | |||
| var endpoint = context.HttpContext.Features.Get<IEndpointFeature>()?.Endpoint; | |||
| if (endpoint != null && endpoint.Metadata.GetMetadata<HubMetadata>() != null) | |||
There was a problem hiding this comment.
@davidfowl this particular change was suggested by @BrennanConroy. In lieu of checking if a particular request is a WebSocket request, this always checks if the query string is specified. However it needs to read the Auth header if available.
There was a problem hiding this comment.
I think this is reasonable.
The slight concern I have is that this could encourage people to put an access_token in the query string when they could have set an Authorization header. We'd like to encourage using the header over the query string since the query string is more likely to be logged.
I don't think that concern is big enough to warrant changing this logic though.
|
QB approved for Preview 4. Please check in and watch the build stay green. Please also resolve https://devdiv.visualstudio.com/DevDiv/_workitems/edit/843164 when done. |
|
@halter73 \ @BrennanConroy how do I proceed with the SignalR functional test failure? The Windows build doesn't say what test failed and I'm not sure how to get to the logs to diagnose the Ubuntu failure. |
|
👀 @aspnet/build - this will probably be the last Preview 4 change. |
|
The windows test is the same failure as the ubuntu one. You can look in the |
|
I'm giving it one more go putting back the custom CORS code that was in there. In the absence of it, I'm going to consider skipping the test. |
|
CORS seems to have done the trick. |
|
That is odd... any idea why? |
|
Not entirely sure. Perhaps the way the CI runs tests requires CORS to have run prior to |
pranavkm
force-pushed
the
prkrishn/auth-check
branch
from
4ccde15 to
6cd4599
Compare
|
/azp run AspNetCore-ci |
|
Azure Pipelines failed to run 1 pipeline(s). |
|
Previous test run failed on one flaky test. This has QB and review approvals, so I'm bringing it in with admin permissions. |
Fixes #9041