Can I [Authorize] on Mapped proxy routes?

[szalapski]

Is there any way to add an AuthorizeAttribute on Mapped proxy routes without creating a controller for them?

[twitchax]

@szalapski,interesting question. Do you have a link or an example for this pattern in "vanilla" ASP.NET Core route mapping?

[szalapski]

Yes, here it is https://docs.microsoft.com/en-us/aspnet/core/security/authorization/roles?view=aspnetcore-3.1. If I have controllers with [Authorize(...)] on them, I would like to convert them to .Map so that I can eliminate the controllers, but still have authorization on them.

[twitchax]

I don’t see the .Map example in your link. I might be missing it?

[szalapski]

Let's take an example similar to those in that link. Suppose inside of the following controller method was nothing but a call to this.HttpProxyAsync:

public class AdministrationController : Controller
{
    [Authorize(Roles = "Administrator")]
    public Task SetTime() => this.HttpProxyAsync(...);
}

Is there or could there be any way to convert this to .Map syntax, so that I can get rid of the controller, while still retaining the [Authorize] attribute on that route?

[twitchax]

@szalapski, maybe something like this health checks example?

[twitchax]

https://docs.microsoft.com/en-us/aspnet/core/fundamentals/routing?view=aspnetcore-3.1

[szalapski]

You mean via middleware? Middleware .UseAuthorization is already in place, and it needs attributes on methods and/or classes to determine what routes to subject to middleware. Not sure how I could do this with a route requested with Map.

[twitchax]

@szalapski, were you able to work around this?

[szalapski]

Only with explicit controllers.

On Fri, Jul 31, 2020, 5:38 PM Aaron Roney notifications@github.com wrote:

@szalapski https://github.com/szalapski, were you able to work around this?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/twitchax/AspNetCore.Proxy/issues/53#issuecomment-667414434, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAUY5MIZ2TBNPQKOQF2NK4TR6NBWLANCNFSM4NNINGXA .

[twitchax]

Have you tried using WithIntercept?

app.UseProxies(proxies => {
    proxies.Map(proxy => proxy.UseHttp("http://google/com/", http => http.WithIntercept(async context => {
        if(!context.User.IsInRole("Admin") /* Or whatever else you need to check here. */)
        {
            context.Response.StatusCode = 401;
            await context.Response.WriteAsync("You need to be an admin!");
            return true;
        }

        return false;
    })));
});

[szalapski]

Cool...I think that should work. I wonder if there could be a way to use an actual AuthorizeAttribute with this? My only concern over the "manual" way you specify above is that future developers might only look for [Authorize] and not think about custom code like the above. But I suppose that might not be too big a concern.

[twitchax]

Yeah, I can see that as being a problem, for sure. Any specific reason you are trying to stay away from controllers?