Unauthorized Access to API Endpoint

[moshali1]

I have encountered an issue where the API endpoint "/api/Counter" is accessible without proper authorization. I don't know if I am missing something. I have made minimal changes, just adding connection configuration to Entra ID.

Steps to Reproduce:

Ensure you are logged out of the Blazor web application. Open a new browser window or an incognito mode session. Navigate to the endpoint: https://localhost:44348/api/Counter

Expected Behavior: Accessing the "/api/Counter" endpoint without authorization should result in an access denied error or redirect the user to a login page, preventing unauthorized access to API data.

Actual Behavior: The "/api/Counter" endpoint is accessible without authentication.

[damienbod]

Hi @moshali1

Thanks for reporting, this would be bad. I will look into this and validate.

Greetings Damien

[damienbod]

yes is correct, this is this code:

´´´csharp app.MapGet("/api/Counter", (HttpContext httpContext) => Results.Ok("Data from secure API")) .RequireAuthorization(); ´´´

The RequireAuthorization is not working. I switch to the controller model.

[damienbod]

@moshali1 Fixed this now. Thanks for reporting.

The BlazorAuthorizationMiddlewareResultHandler broken everything.

The API can only be used in Web assembly mode, when server rendering is running, you can call the data directly. The API uses cookie authentication as so requires CSRF protection which is missing.

I would recommend using only Blazor Webassembly hosted in a ASP.NET core like the other example or Blazor Server. Blazor Web in server only mode seems to work, but you need the nonce protection.

Still a lot of "special" stuff with the mixed mode.

Here's a Blazor Web (Server only) which I think is fairly solid:

https://github.com/damienbod/BlazorServerOidc/tree/main/BlazorWebFromBlazorServerOidc

But I need to fully validate the security.

Greetings Damien