Add [AllowAnonymous] on create tenant not working

fullstackhero / dotnet-starter-kit

Production Grade Cloud-Ready .NET 8 Starter Kit (Web API + Blazor Client) with Multitenancy Support, and Clean/Modular Architecture that saves roughly 200+ Development Hours! All Batteries Included.

https://fullstackhero.net/dotnet-webapi-boilerplate/

MIT License

5.19k stars 1.56k forks source link

Add [AllowAnonymous] on create tenant not working #131

Closed geekz-reno closed 2 years ago

geekz-reno commented 2 years ago

Describe the bug Its possible to create tenant without doing any authentication?

To Reproduce Steps to reproduce the behavior: Change [MustHavePermission(RootPermissions.Tenants.Create)] to [AllowAnonymous] on TenantController -> CreateAsync, still return unauthorized

Expected behavior Create tenant without perform any authentication

iammukeshm commented 2 years ago

As per the design, only the Root Admin of the application has access to create new tenants. This comes as a part of Tenant Management. I believe this will be a secure way to manage tenants in enterprise applications.

geekz-reno commented 2 years ago

Hi @iammukeshm very clear, thank you for your great effort.

geekz-reno commented 2 years ago

Hi @iammukeshm just tested again, on IdentityController,

ForgotPasswordAsync https://github.com/fullstackhero/dotnet-webapi-boilerplate/blob/777d74feb5271b8d09e9d5f61739cd7a74cfc31b/src/Bootstrapper/Controllers/Identity/IdentityController.cs#L51

and other that have [AllowAnonymous] attribute all was not accessible without performing get-token first. Are this expected?

iammukeshm commented 2 years ago

@geekz-reno

You need to add the tenant header to request. I have updated the postman collection. Please fetch the latest code and try.

geekz-reno commented 2 years ago

Confirm, many thanks @iammukeshm