Invalid Routes: Alternative to HTTP 500

Finbuckle / Finbuckle.MultiTenant

Finbuckle.MultiTenant is an open-source multitenancy middleware library for .NET. It enables tenant resolution, per-tenant app behavior, and per-tenant data isolation.

https://www.finbuckle.com/multitenant

Apache License 2.0

1.3k stars 265 forks source link

Invalid Routes: Alternative to HTTP 500 #177

Closed aceptra closed 4 years ago

aceptra commented 4 years ago

Things are working great. Thanks for this .Net Core multi-tenant library, btw.

However, invalid routes seem to always throw HTTP 500.

Is there a strategy to better handles this and return 400 instead? Crawlers prodding for penetration will throw any number of 'known CRM routes' that aren't valid in our application. And so our APM is going through the roof w/ "server errors" that really aren't an error.

ex: http://domain.com/php/admin isn't valid (no provided tenant), results in a 500.

AndrewTriesToCode commented 4 years ago

Hi @aceptra, just to be clear are you using the route strategy to determine tenant? Can you post your ConfigureServices and Configure methods in your startup.

Or are you using the host strategy?

aceptra commented 4 years ago

We are using the Route Strategy.

Abbreviated here...

`private void ConfigRoutes(IRouteBuilder routes)
        {
            routes.MapRoute(
                name: "login",
                template: "Account/Login",
                defaults: new { controller = "Account", action = "Login" }
            );

            routes.MapRoute(
                name: "default",
                template: "{__tenant__}/{controller}/{action}"
            );
        }

  services
            .AddMultiTenant()
            .WithInMemoryStore(Configuration.GetSection("Finbuckle:MultiTenant:InMemoryStore"))
            .WithRouteStrategy(ConfigRoutes)
            .WithRemoteAuthentication() // Important!
            .WithPerTenantOptions<OpenIdConnectOptions>((options, tenantInfo) =>

app.UseMvc(ConfigRoutes);

AndrewTriesToCode commented 4 years ago

@aceptra Thanks for posting more details. Tell me would something like this work in your case:

Set default values for each route parameter:

template: "{__tenant__=}/{controller=Home}/{action=Index}"

Note that the tenant default is empty which means no tenant needs to be there to hit a controller/action and in that case tenant will be null (unless you have a tenant with identifier "" which I do not recommend"). I use this in my sample projects and I'm unable to get a 500 error.

Alternatively since you are using remote authentication the problem could be there. Can you do simple test without OpenID connect in the mix and see if you have the same issue?

Thanks and good luck!

stale[bot] commented 4 years ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.