search

havit / Havit.Blazor

Free Bootstrap 5 components for ASP.NET Blazor + optional enterprise-level stack for Blazor development (gRPC code-first, layered architecture, localization, auth, ...)
https://havit.blazor.eu
MIT License
463 stars 63 forks source link

[gRPC] AllowAnonymous on a service method is ignored #840

Open jirikanda opened 1 month ago

jirikanda commented 1 month ago

AllowAnonymousAttribute on a single method is ignored:

[Authorize(Policy = PolicyNames.EShopCustomerPolicy)]
public class OfferFacade
{
        ...
    [AllowAnonymous]
    public async Task<OfferHeaderDto> GetOfferHeaderAsync(Dto<string> offerRefer, CancellationToken cancellationToken = default)
    {
            ...
        }
}
hakenr commented 1 month ago

Probably due to the [ApiContract] attribute on IOfferFacade, where the default RequireAuthorization property default is true.

Currently, with the way we register the gRPC services in startup code, we do not expect to have both authorized and anonymous methods on single facade. You can still remove the RequireAuthorization() call from the gRPC registration in MapGrpcServicesByApiContractAttributes() (configureEndpointWithAuthorization action) which will remove the default "fallback authorization = require the user to be at least authenticated" and rely solely on the [Authorize] attributes on the facade itself.

https://github.com/havit/NewProjectTemplate-Blazor/blob/808f7a31bf1c7676c4802fc661f45358210b3a38/Web.Server/Startup.cs#L145-L148

The original purpose of the RequireAuthorization property on [ApiContract] attribute was to allow a simple decision on client-side whether to require a JWT token to be added to the server calls: https://github.com/havit/NewProjectTemplate-Blazor/blob/58e7c29c827f079975629af75a8529db6cd8d7ea/Web.Client/Program.cs#L100-L104

...with the new BWA and cookie-based auth, we can drop the JWT token support (can we?) and remove the [ApiContact(RequireAuthorization = ...)] property. Breaking change.

jirikanda commented 4 weeks ago

we do not expect to have both authorized and anonymous methods on single facade

OK, so the only possible way is to make IOfferFacade and IOfferFacadeWithAnonymousAccess? (I am not sure now if it be implemented with just one class.)

...with the new BWA and cookie-based auth, we can drop the JWT token support (can we?) and remove the

We can. For the BWA (we have removed the nuget package from the application with this support).