Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Discuss] Check if authenticated only when specified #1030

Open
wants to merge 4 commits into
base: develop
Choose a base branch
from
Open

[Discuss] Check if authenticated only when specified #1030

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
cfaddc2
Check for authentication only when specified
Shane32 May 23, 2023
29635ea
Update tests
Shane32 May 23, 2023
02b84bb
Update
Shane32 May 23, 2023
2159497
Update
Shane32 May 23, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
6 changes: 2 additions & 4 deletions src/Transports.AspNetCore/AuthorizationHelper.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,9 +12,7 @@ public static class AuthorizationHelper
/// </summary>
public static async ValueTask<bool> AuthorizeAsync<TState>(AuthorizationParameters<TState> options, TState state)
{
var anyRolesRequired = options.AuthorizedRoles?.Any() ?? false;

if (options.AuthorizationRequired || anyRolesRequired || options.AuthorizedPolicy != null)
if (options.AuthorizationRequired)
{
if (!((options.HttpContext.User ?? NoUser()).Identity ?? NoIdentity()).IsAuthenticated)
{
Expand All @@ -24,7 +22,7 @@ public static async ValueTask<bool> AuthorizeAsync<TState>(AuthorizationParamete
}
}

if (anyRolesRequired)
if (options.AuthorizedRoles?.Any() ?? false)
{
var user = options.HttpContext.User ?? NoUser();
foreach (var role in options.AuthorizedRoles!)
Expand Down
16 changes: 8 additions & 8 deletions src/Transports.AspNetCore/AuthorizationVisitorBase.Validation.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -71,15 +71,15 @@ public readonly record struct ValidationInfo(
/// </summary>
protected virtual async ValueTask<bool> ValidateAsync(ValidationInfo info)
{
bool requiresAuthorization = info.Obj.IsAuthorizationRequired();
if (!requiresAuthorization)
return true;

var authorized = _userIsAuthorized ??= IsAuthenticated;
if (!authorized)
//note: in v7 currently: IsAuthorizationRequired returns true if authorization is required, or if policies or roles are set
if (info.Obj.GetMetadata(AuthorizationExtensions.AUTHORIZE_KEY, false) /* info.Obj.IsAuthorizationRequired() */)
{
HandleNodeNotAuthorized(info);
return false;
var authorized = _userIsAuthorized ??= IsAuthenticated;
if (!authorized)
{
HandleNodeNotAuthorized(info);
return false;
}
}

var policies = info.Obj.GetPolicies();
Expand Down
4 changes: 2 additions & 2 deletions tests/Samples.Jwt.Tests/EndToEndTests.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,7 +42,7 @@ public async Task GraphQLGet_Authorized()
[Fact]
public async Task GraphQLGet_Unauthorized()
{
await _testServer.VerifyGraphQLGetAsync(expected: ACCESS_DENIED_RESPONSE, statusCode: HttpStatusCode.Unauthorized);
await _testServer.VerifyGraphQLGetAsync(expected: ACCESS_DENIED_RESPONSE, statusCode: HttpStatusCode.Forbidden);
}

[Fact]
Expand All @@ -55,7 +55,7 @@ public async Task GraphQLPost_Authorized()
[Fact]
public async Task GraphQLPost_Unauthorized()
{
await _testServer.VerifyGraphQLPostAsync(expected: ACCESS_DENIED_RESPONSE, statusCode: HttpStatusCode.Unauthorized);
await _testServer.VerifyGraphQLPostAsync(expected: ACCESS_DENIED_RESPONSE, statusCode: HttpStatusCode.Forbidden);
}

[Fact]
Expand Down
26 changes: 6 additions & 20 deletions tests/Transports.AspNetCore.Tests/Middleware/AuthorizationTests.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -191,7 +191,7 @@ public async Task NotAuthorized_Roles(bool authenticated)
_options.AuthorizedRoles.Add("AnotherRole");
_options.AuthorizedRoles.Add("FailingRole");
using var response = await PostQueryAsync("{ __typename }", authenticated);
response.StatusCode.ShouldBe(authenticated ? HttpStatusCode.Forbidden : HttpStatusCode.Unauthorized);
response.StatusCode.ShouldBe(HttpStatusCode.Forbidden);
var actual = await response.Content.ReadAsStringAsync();
actual.ShouldBe("""{"errors":[{"message":"Access denied for schema.","extensions":{"code":"ACCESS_DENIED","codes":["ACCESS_DENIED"]}}]}""");
}
Expand All @@ -205,16 +205,9 @@ public async Task NotAuthorized_Roles_2(bool authenticated)
_options.AuthorizedRoles.Add("FailingRole");
_enableCustomErrorInfoProvider = true;
using var response = await PostQueryAsync("{ __typename }", authenticated);
response.StatusCode.ShouldBe(authenticated ? HttpStatusCode.Forbidden : HttpStatusCode.Unauthorized);
response.StatusCode.ShouldBe(HttpStatusCode.Forbidden);
var actual = await response.Content.ReadAsStringAsync();
if (authenticated)
{
actual.ShouldBe("""{"errors":[{"message":"Access denied; roles required \u0027AnotherRole\u0027/\u0027FailingRole\u0027.","extensions":{"code":"ACCESS_DENIED","codes":["ACCESS_DENIED"]}}]}""");
}
else
{
actual.ShouldBe("""{"errors":[{"message":"Access denied; authorization required.","extensions":{"code":"ACCESS_DENIED","codes":["ACCESS_DENIED"]}}]}""");
}
actual.ShouldBe("""{"errors":[{"message":"Access denied; roles required \u0027AnotherRole\u0027/\u0027FailingRole\u0027.","extensions":{"code":"ACCESS_DENIED","codes":["ACCESS_DENIED"]}}]}""");
}

[Fact]
Expand All @@ -235,7 +228,7 @@ public async Task NotAuthorized_Policy(bool authenticated)
{
_options.AuthorizedPolicy = "FailingPolicy";
using var response = await PostQueryAsync("{ __typename }", authenticated);
response.StatusCode.ShouldBe(authenticated ? HttpStatusCode.Forbidden : HttpStatusCode.Unauthorized);
response.StatusCode.ShouldBe(HttpStatusCode.Forbidden);
var actual = await response.Content.ReadAsStringAsync();
actual.ShouldBe("""{"errors":[{"message":"Access denied for schema.","extensions":{"code":"ACCESS_DENIED","codes":["ACCESS_DENIED"]}}]}""");
}
Expand All @@ -248,16 +241,9 @@ public async Task NotAuthorized_Policy_2(bool authenticated)
_options.AuthorizedPolicy = "FailingPolicy";
_enableCustomErrorInfoProvider = true;
using var response = await PostQueryAsync("{ __typename }", authenticated);
response.StatusCode.ShouldBe(authenticated ? HttpStatusCode.Forbidden : HttpStatusCode.Unauthorized);
response.StatusCode.ShouldBe(HttpStatusCode.Forbidden);
var actual = await response.Content.ReadAsStringAsync();
if (authenticated)
{
actual.ShouldBe("""{"errors":[{"message":"Access denied; policy required \u0027FailingPolicy\u0027.","extensions":{"code":"ACCESS_DENIED","codes":["ACCESS_DENIED"]}}]}""");
}
else
{
actual.ShouldBe("""{"errors":[{"message":"Access denied; authorization required.","extensions":{"code":"ACCESS_DENIED","codes":["ACCESS_DENIED"]}}]}""");
}
actual.ShouldBe("""{"errors":[{"message":"Access denied; policy required \u0027FailingPolicy\u0027.","extensions":{"code":"ACCESS_DENIED","codes":["ACCESS_DENIED"]}}]}""");
}

[Fact]
Expand Down