Change DefaultFiles/DirectoryBrowser/StaticFileMiddleware to only no-op if there's an active endpoint with a non-null RequestDelegate

[DamianEdwards]

The DefaultFilesMiddleware, DirectoryBrowserMiddleware, and StaticFileMiddleware currently no-op (fall through to the next middleware in the pipeline) if they detect the request has an active endpoint (see code here).

This prevents the middleware from running even in cases where there's an endpoint with a null RequestDelegate. This prevents the ability to have an active endpoint for the purposes of communicating metadata to middleware while allowing middleware like the StaticFileMiddleware to keep performing its function, e.g. have a "dummy" endpoint to carry IAuthorizeData metadata so that the AuthorizationMiddleware performs authorization on a request before the StaticFileMiddleware runs (example here).

We should consider updating the check in these middleware to instead only no-op if the active endpoint's request delegate is null, i.e.:

// Return true because we only want to run if there is no endpoint request delegate.
private static bool ValidateNoEndpointRequestDelegate(HttpContext context) => context.GetEndpoint()?.RequestDelegate == null;

If there are other middleware with similar behavior we should consider updating those in a similar fashion.

[DamianEdwards]

@Tratcher @davidfowl @JamesNK any thoughts if this would cause any issues?

[Tratcher]

Could RequestDelegate ever be null before?

[DamianEdwards]

Endpoint.RequestDelegate is marked as nullable, so yes?

[Tratcher]

Sure, but in practice where there any situations where it was null that we would now handle differently?

[DamianEdwards]

Not that I'm aware of, but that's impossible to prove absolutely. Is your question basically "Are there cases where the middleware would now start handling the request where before it didn't?"

[Tratcher]

Right. If a null RequestDelegate was common for some situation before, those requests could now collide with StaticFiles. If this wasn't a pattern we saw in use before then the change is harmless.

[DamianEdwards]

I'll let the others chime in on that then, given I only found out today that Endpoint.RequestDelegate could even be null 😃

[davidfowl]

I am supportive of this change. It opens up something we're trying to do with endpoints and policies. An endpoint without a request delegate is pretty rare which is why I feel comfortable taking this one. It is a breaking change though, so maybe its worth documenting anyways.