Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

SkipStatusCodePagesAttribute should run before AuthorizeAttribute

See original GitHub issue

Is your feature request related to a problem? Please describe.

[SkipStatusCodePages] is meant to be used in actions that are API calls, so that the StatusCodePagesMiddleware does not interfere with the response status code and body.

API actions are almost always decorated with [Authorize]. When user is not authorized, AuthorizeFilter short circuits and returns 401. Due to the short circuit, IResourceFilter, which SkipStatusCodePagesAttribute inherits, does not run, thus StatusCodePagesMiddleware runs and modifies the status code and body. The API caller does not receive 401 with empty body.

Describe the solution you’d like

Ideally, the StatusCodePagesMiddleware does not run when [SkipStatusCodePages], thus the API caller receives 401 with empty body.

This can be achieved by having SkipStatusCodePagesAttribute inherit from IAlwaysRunResultFilter instead.

Describe alternatives you’ve considered

Modifying the middleware pipeline with custom middleware. But this dissociates the action that needs SkipStatusCodePages from the code that does the work

Additional context

Issue Analytics

  • State:closed
  • Created 4 years ago
  • Comments:6 (4 by maintainers)

github_iconTop GitHub Comments

3reactions
kevinchaletcommented, May 30, 2020

@mkArtakMSFT is there a chance this bug could be fixed in 5.0? It sadly makes [SkipStatusCodePages] hard to use in mixed API/views applications using token authentication.

1reaction
trannamtrung1stcommented, Nov 18, 2020

Any update on this? Currently I’m using a custom middleware. It seems a little bit weird but it’s working. I can pass my custom options into the middleware constructor.

public class ApiStatusCodeMiddleware
    {
        private readonly RequestDelegate _next;

        public ApiStatusCodeMiddleware(RequestDelegate next)
        {
            _next = next;
        }

        public async Task InvokeAsync(HttpContext context)
        {
            await _next(context);
            var isApiRequest = context.Request.Path.StartsWithSegments("/api");
            if (isApiRequest && context.Response.StatusCode >= 400 && context.Response.StatusCode < 500)
            {
                using var body = context.Response.Body;
                body.Flush();
            }
        }

    }
Read more comments on GitHub >

github_iconTop Results From Across the Web

Execute code in custom Attribute before the MVC ...
The default AuthorizeAttribute always seems to run before my custom attribute. Things I have tried. I made a custom attribute which inherits ...
Read more >
How to Create a Custom Authorize Attribute in ASP.NET Core
Let's implement a custom authorization attribute using both IAuthorizationFilter and policy-based authorization.
Read more >
Kompletní pohled na .NET 7 - Miroslav Holec
Allow should allow a missing Content-Type #36466 · SkipStatusCodePagesAttribute should run before AuthorizeAttribute #10317 ...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

(blazor) Failed to reconnect to the server

Next page

Client/server networking abstractions