search

havit / Havit.Blazor

Free Bootstrap 5 components for ASP.NET Blazor + optional enterprise-level stack for Blazor development (gRPC code-first, layered architecture, localization, auth, ...)
https://havit.blazor.eu
MIT License
519 stars 69 forks source link

[gRPC] AllowAnonymous on a service method is ignored #840

Open jirikanda opened 5 months ago

jirikanda commented 5 months ago

AllowAnonymousAttribute on a single method is ignored:

[Authorize(Policy = PolicyNames.EShopCustomerPolicy)]
public class OfferFacade
{
        ...
    [AllowAnonymous]
    public async Task<OfferHeaderDto> GetOfferHeaderAsync(Dto<string> offerRefer, CancellationToken cancellationToken = default)
    {
            ...
        }
}
hakenr commented 5 months ago

Probably due to the [ApiContract] attribute on IOfferFacade, where the default RequireAuthorization property default is true.

Currently, with the way we register the gRPC services in startup code, we do not expect to have both authorized and anonymous methods on single facade. You can still remove the RequireAuthorization() call from the gRPC registration in MapGrpcServicesByApiContractAttributes() (configureEndpointWithAuthorization action) which will remove the default "fallback authorization = require the user to be at least authenticated" and rely solely on the [Authorize] attributes on the facade itself.

https://github.com/havit/NewProjectTemplate-Blazor/blob/808f7a31bf1c7676c4802fc661f45358210b3a38/Web.Server/Startup.cs#L145-L148

The original purpose of the RequireAuthorization property on [ApiContract] attribute was to allow a simple decision on client-side whether to require a JWT token to be added to the server calls: https://github.com/havit/NewProjectTemplate-Blazor/blob/58e7c29c827f079975629af75a8529db6cd8d7ea/Web.Client/Program.cs#L100-L104

...with the new BWA and cookie-based auth, we can drop the JWT token support (can we?) and remove the [ApiContact(RequireAuthorization = ...)] property. Breaking change.

jirikanda commented 5 months ago

we do not expect to have both authorized and anonymous methods on single facade

OK, so the only possible way is to make IOfferFacade and IOfferFacadeWithAnonymousAccess? (I am not sure now if it be implemented with just one class.)

...with the new BWA and cookie-based auth, we can drop the JWT token support (can we?) and remove the

We can. For the BWA (we have removed the nuget package from the application with this support).