Abp: Make Auto API Controllers return 401 same as other endpoints.
I created a new project using the latest version of the CLI 2.6.2 using --ui none and I noticed that when I added the [Authorize] attribute to a CustomAppService and used swagger to call it, swagger returns the HTML of the login page. While searching for a solution I found #1670 and #2643
My understanding is that I will have to create a controller for every single application service that requires authorization so my application can have the same behaviour as other endpoints (e.g. /api/abp/permissions). Doesn't this defeat the purpose of Auto API Controllers?
Following this thought, I will just have to create dummy Controllers that won't be doing anything other than calling my actual app services and I won't be able to take advantage of the Auto API Controllers.
Is there a work around or plan to change this in the future?
aklscv
All 6 comments
I don't think we should change this behavior.
https://github.com/abpframework/abp/issues/2643#issuecomment-574940166
When you call the controller that requires authentication, the authentication middleware finds that the current user is not authenticated and calls ChallengeAsync (DefaultChallengeScheme is identity cookie). At this point the request has been shorted.
If your anonymous controller calls the application service method, it will execute the ABP filter and interceptor. The framework throws AbpAuthorizationException, the filter wraps the exception into a 401, etc.
maliming
on 11 May 2020
I do understand that. My point is that, with the current behaviour, the auto API controllers are basically useless for backend apps since we have to create a dummy controller for all endpoints which require the [Authorize] attribute to be applied (which tends to be the majority).
aklscv
on 11 May 2020
Auto API controllers is to convert the application service as a controller.
This is how the controller behaves.
maliming
on 11 May 2020
@maliming That's my whole point. I understand that this is how controllers behave but I think it would be beneficial to intercept that behaviour using the ABP Filters (if possible) and make it work the same way.
ABP has a functionality to make application services behave as controllers, which is awesome, but it is not consistent when it comes to authorization (just because the way controllers work). We get different results when calling a controller that calls an app service and when calling the app service using the auto API controller feature which basically forces the user to create controllers anyway for app services that need authorization.
aklscv
on 12 May 2020
I would also be interested in how to achieve this for my API layer. The response code of 401 would allow for easier development of libraries for API's. As an example the default R library generated from Swagger assumes any 200 means we are getting the expected object back from the definition. This could also be the redirect to the login page, which then causes JSON parsing exceptions.
staticcat
on 15 Sep 2020
hi all
Please follow: https://github.com/abpframework/abp/issues/5235
maliming
on 15 Sep 2020
Related issues
leonkosak
路
3Comments
derily
路
3Comments
hikalkan
路
3Comments
hikalkan
路
3Comments
hikalkan
路
3Comments
Most helpful comment
@maliming That's my whole point. I understand that this is how controllers behave but I think it would be beneficial to intercept that behaviour using the ABP Filters (if possible) and make it work the same way.
ABP has a functionality to make application services behave as controllers, which is awesome, but it is not consistent when it comes to authorization (just because the way controllers work). We get different results when calling a controller that calls an app service and when calling the app service using the auto API controller feature which basically forces the user to create controllers anyway for app services that need authorization.