Giters

dotnet / aspnetcore

ASP.NET Core is a cross-platform .NET framework for building modern cloud-based web applications on Windows, Mac, or Linux.

Home Page:https://asp.net

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Explicitly calling `context.Fail(....)` in authorization policy requirement handler results in empty `policyAuthorizationResult.AuthorizationFailure.FailedRequirements`

Xor-el opened this issue · comments

commented

Is there an existing issue for this?

  • I have searched the existing issues

Describe the bug

Calling context.Fail(....) in our Authorization policy requirement handler causes policyAuthorizationResult.AuthorizationFailure.FailedRequirements to be empty when our Authorization fails.

Expected Behavior

policyAuthorizationResult.AuthorizationFailure.FailedRequirements should not be empty when Authorization fails regardless of whether we call context.Fail(....) in our policy requirement handler or not.

Steps To Reproduce

  1. Clone this repo, build and run.

  2. Initiate the request below using cURL, notice we get a 401 Unauthorized response.

curl --location 'https://localhost:7244/authbugdemo/implicit-fail' \
--header 'Content-Type: application/json' \
--header 'X-API-Key: BadAPIKey' \
--data '{
    "name": "Chucky",
    "description": "Child'\''s Play is an American slasher media franchise created by Don Mancini."
}'
  1. Initiate the request below using cURL, notice we get a 403 Forbidden response.
curl --location 'https://localhost:7244/authbugdemo/explicit-fail' \
--header 'Content-Type: application/json' \
--header 'X-API-Key: BadAPIKey' \
--data '{
    "name": "Chucky",
    "description": "Child'\''s Play is an American slasher media franchise created by Don Mancini."
}'

  1. the difference between the two endpoints are their Authorization policy requirement handlers.

    The implicit-fail endpoint policy requirement handler doesn't call context.Fail if authorization fails. however, the explicit-fail endpoint policy requirement handler calls context.Fail("....") when authorization fails.

  2. I have an IAuthorizationMiddlewareResultHandler implementation that checks if the failed requirement is of a particular type using policyAuthorizationResult.AuthorizationFailure.FailedRequirements and modifies the response status code appropriately.

unfortunately, policyAuthorizationResult.AuthorizationFailure.FailedRequirements is always empty when we use the explicit-fail policy requirement handler that calls context.Fail("....").

I don't see this behaviour documented anywhere so I assume it's a bug.
If it is an expected behaviour (this would be strange 😕), then how do we propagate the failure reason from the various policy requirement handlers to my IAuthorizationMiddlewareResultHandler without calling context.Fail("....")?

Exceptions (if any)

No response

.NET Version

8.0.200

Anything else?

No response