search

dotnet / aspnetcore

ASP.NET Core is a cross-platform .NET framework for building modern cloud-based web applications on Windows, Mac, or Linux.
https://asp.net
MIT License
35.56k stars 10.05k forks source link

webapi template uses HttpsRedirection and .http files redirect silently #54562

Open vsfeedback opened 8 months ago

vsfeedback commented 8 months ago

This issue has been moved from a ticket on Developer Community.

The default dotnet new webapi template includes the UseHttpsRedirection middleware which will redirect requests from http to https.

It also includes an https launch profile that includes both an http and an https endpoint on different ports.

It also includes a .http file which assigns: @ProjectName_HostAddress = http://localhost:5149

Given the above, if someone add bearer token security to their web api, they will encounter behavior as described here: https://ardalis.com/http-file-not-sending-auth-header/

Specifically, the Authorization header will not be passed to the application and a 401 will be encountered on every request. Looking at the Request tab in the .http file it will be clear the Authorization header is missing but, crucially, not why.

The reason is described here: https://learn.microsoft.com/en-us/dotnet/api/system.net.http.httpclienthandler.allowautoredirect?view=net-8.0 which also notes:

In practice, this means that an application can't put custom authentication information into the Authorization header if it is possible to encounter redirection.

There are several ways in which this problem might be addressed:

1) Don't include HttpsRedirection in the default webapi project template 2) Don't include both http and https in the launch profile for https in the webapi project template 3) Make the default host address in the .http file be HTTPS. 4) Don't automatically follow redirects from .http files 5) Continue automatically following redirects but pass along Authorization headers 6) Continue automatically following redirects but include a LARGE NOTE in the results pane stating that a redirect was encountered and, therefore, any Authorization header was dropped.

I hope you'll consider adopting one or more of the above mitigations/fixes.

Thanks! Steve

Original Comments

Feedback Bot on 2/1/2024, 04:54 PM:

(private comment, text removed)

Feedback Bot on 2/2/2024, 00:51 AM:

(private comment, text removed)

Steve Smith on 2/2/2024, 06:42 AM:

(private comment, text removed)

Garry McGlennon [MSFT] on 2/27/2024, 07:05 PM:

(private comment, text removed)

Original Solutions

(no solutions)

blowdart commented 6 months ago

In discussions with Damian this should go further.

The http to https middleware should be removed from api projects and https enforced as a requirement with no listener on http.

Additionally, in all environments, api endpoints that require auth should reject authenticated requests indicating that auth tokens have been sent over http and should now be considered compromised. 421 seems to be the right status code for that.