search

IntentArchitect / Support

A repository dedicated to handling issues and support queries
3 stars 0 forks source link

Default API Security does not work like it should #67

Open shainegordon opened 1 year ago

shainegordon commented 1 year ago

What happened?

When you configure the project setting Api Settings -> Default API Security -> Secured by default, then any roles defined in the Services designer, on the Secured stereotype are not applied.

This is very easy to reproduce.

  1. Set Api Settings -> Default API Security to Unsecured by default
  2. Create/expose an endpoint
  3. Apply stereotype "Secured"
  4. Set value to "Admin"
  5. Run software factory
  6. This will add an [Authorize(Roles = "Admin")] to the controller action.
  7. Change the project setting from Unsecured by default to Secured by default.
  8. Run the software factory.
  9. This will now REMOVE [Authorize(Roles = "Admin")] from the controller action, and add [Authorize] to the controller class.

The expected behaviour here, with Secured by default, is that the class gets the [Authorize] attribute AND the controller action gets a [Authorize(Roles = "Admin")], if required.

Even better, is that Secured by default actually applies requiring authorization at the middleware layer

e.g.

app.UseEndpoints(endpoints =>
{
       endpoints.MapDefaultHealthChecks();
       endpoints.MapControllers();
});

becomes

app.UseEndpoints(endpoints =>
{
       endpoints.MapDefaultHealthChecks();
       endpoints.MapControllers().RequireAuthorization();
});

What version of Intent Architect are you using?

4.0.6

Additional information

No response

JonathanLydall commented 1 year ago

Hi @shainegordon,

Thanks for logging this, we have added this as a bug on our backlog and will be looking at it as soon as we are able. We will keep this issue open and update it when a fix is available.