Aspnetcore: SkipStatusCodePagesAttribute should run before AuthorizeAttribute

Created on 17 May 2019  路  4Comments  路  Source: dotnet/aspnetcore

Is your feature request related to a problem? Please describe.

[SkipStatusCodePages] is meant to be used in actions that are API calls, so that the StatusCodePagesMiddleware does not interfere with the response status code and body.

API actions are almost always decorated with [Authorize]. When user is not authorized, AuthorizeFilter short circuits and returns 401. Due to the short circuit, IResourceFilter, which SkipStatusCodePagesAttribute inherits, does not run, thus StatusCodePagesMiddleware runs and modifies the status code and body. The API caller does not receive 401 with empty body.

Describe the solution you'd like

Ideally, the StatusCodePagesMiddleware does not run when [SkipStatusCodePages], thus the API caller receives 401 with empty body.

This can be achieved by having SkipStatusCodePagesAttribute inherit from IAlwaysRunResultFilter instead.

Describe alternatives you've considered

Modifying the middleware pipeline with custom middleware. But this dissociates the action that needs SkipStatusCodePages from the code that does the work

Additional context

area-mvc bug
Source
picture huan086

Most helpful comment

@mkArtakMSFT is there a chance this bug could be fixed in 5.0? It sadly makes [SkipStatusCodePages] hard to use in mixed API/views applications using token authentication.

picture kevinchalet on 30 May 2020
👍2

All 4 comments

Thanks for contacting us, @huan086. Would you like to send a PR for this? We'd happily consider it!

mkArtakMSFT picture mkArtakMSFT on 20 May 2019

I'm thinking we need to implement IOrderedFilter as well, so that when multiple IAlwaysRunResultFilter are present and some of them short-circuits, it'll be possible to make sure SkipStatusCodePagesAttribute runs first. @mkArtakMSFT what do you think?

huan086 picture huan086 on 30 May 2019

@mkArtakMSFT is there a chance this bug could be fixed in 5.0? It sadly makes [SkipStatusCodePages] hard to use in mixed API/views applications using token authentication.

kevinchalet picture kevinchalet on 30 May 2020
👍2

@kevinchalet, as much as I wish we could, I don't think we will get to this. Not during 5.0 timeline.

mkArtakMSFT picture mkArtakMSFT on 1 Jun 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

KerolosMalak picture KerolosMalak  路  269Comments
kevinchalet picture kevinchalet  路  761Comments
oliverjanik picture oliverjanik  路  91Comments
Rast1234 picture Rast1234  路  104Comments
davidfowl picture davidfowl  路  126Comments