mderriey
commented
1 year ago I'm in two minds about the tests as what we're really doing is testing the underlying auth logic. I mean we should probably have tests to see if a module specifies RequiresAuthorization() we get a 401 response maybe
I rewrote the tests in https://github.com/CarterCommunity/Carter/pull/310/commits/f48051a6dcb8dc445ab15eedc3cceb59e01ed801 to inspect the endpoints to make sure that the authorization-specific metadata is there.
I'm still not super happy as we're testing the internal implementation of ASP.NET Core when we call RequireAuthorization, but at least we don't make HTTP calls to validate the behavior.
Thoughts?
cbrevik
jchannon
Motivation
It was found by a member of the Carter community Slack that the current
RequireAuthorizationmethod onCarterModuledoesn't allow to specify one or more policy names. The result is that the only policy that is appliable at the module level is the default authorization policy configured in the app.Changes
This PR adds another overload of the
RequireAuthorizationthat allows passing one or more policy names.It's worth noting that ASP.NET Core has even more overloads, see https://source.dot.net/#q=requireauthorization%3CTBuilder%3E:
RequireAuthorization<TBuilder>(this TBuilder builder, AuthorizationPolicy policy)RequireAuthorization<TBuilder>(this TBuilder builder, Action<AuthorizationPolicyBuilder> configurePolicy)RequireAuthorization<TBuilder>(this TBuilder builder, params IAuthorizeData[] authorizeData)Do we want to implement some of those?
Tests
Writing tests for this involved quite a bit of plumbing code. If you'd rather not have tests, or if you feel there's an easier way to test this than building a server and firing a request, please let me know.