Skip to content

WebApplication.UseStatusCodePages() cannot handle unauthorized requests without explicit UseAuthorization() call #49515

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
1 task done
marinasundstrom opened this issue Jul 19, 2023 · 7 comments
Open
1 task done

WebApplication.UseStatusCodePages() cannot handle unauthorized requests without explicit UseAuthorization() call #49515

marinasundstrom opened this issue Jul 19, 2023 · 7 comments
Labels
area-hosting Includes Hosting area-middleware Includes: URL rewrite, redirect, response cache/compression, session, and other general middlewares
Milestone
Backlog

Comments

@marinasundstrom
Copy link

marinasundstrom commented Jul 19, 2023
edited
Loading

Is there an existing issue for this?

  • I have searched the existing issues

Describe the bug

These are observations from implementing auth with Server-side rendered pages (SSR) in Blazor Preview 6 - using Razor components instead of MVC Razor pages.

Cookie auth just works, that is great. But there are some issues:

Issues:

  • AuthorizeRouteView doesn't work with the router. The NotAuthorized fragment does not get rendered. Instead I get redirected to a layout-less page saying: Error: 401 Unauthorized.

  • The LoginDisplay doesn't re-ender when logged in using form. Redirecting to another page would help here.

Questions:

  • How do I redirect to another URL from a component that server render? NavigationManager of course doesn't work here.

My github repo (branch): https://github.com/marinasundstrom/Blazor8Test/tree/auth

Expected Behavior

When unauthorized and entering page that requires authorization,
I expect the NotAuthorized fragment to be rendered with the MainLayout.

Steps To Reproduce

https://github.com/marinasundstrom/Blazor8Test/tree/auth

Exceptions (if any)

No response

.NET Version

8.0.100-preview.6.23330.14

Anything else?

No response
@ghost ghost added the area-blazor Includes: Blazor, Razor Components label Jul 19, 2023
@marinasundstrom marinasundstrom mentioned this issue Jul 19, 2023
Closed
@javiercn
Copy link
Member

How do I redirect to another URL from a component that server render? NavigationManager of course doesn't work here.

Navigation manager should work (not sure if it does in Preview6). There might be some conflicts with the SSR navigation manager overriding the static renderer one.

@marinasundstrom
Copy link
Author

@javiercn OK. Yes. I'm on Preview 6 and it uses the RemoteNavigationManager even for server-side rendered page. And when invoking NavigateTo on the server, an exception is thrown.

My workaround was to build my own "ServerNavigationManager" (Not inheriting from NavigationManager) which modifies the HttpContext.Response to redirect to the specified location.

@javiercn
Copy link
Member

@marinasundstrom where are you seeing the 401 from the authorizeview?

On SSR, the auth middleware should be handling the auth for the page.

@marinasundstrom
Copy link
Author

marinasundstrom commented Jul 19, 2023
edited
Loading

@javiercn Here: https://blazor8app.graypebble-0c46426e.westus2.azurecontainerapps.io/auth

"/auth" is a page.

Unless I have missed something in my code.

https://github.com/marinasundstrom/Blazor8Test

@mkArtakMSFT mkArtakMSFT added this to the 8.0-rc1 milestone Jul 19, 2023
@mkArtakMSFT mkArtakMSFT modified the milestones: 8.0-rc1, 8.0-rc2 Jul 31, 2023
@danroth27 danroth27 modified the milestones: 8.0-rc1, 8.0-rc2 Aug 16, 2023
@marinasundstrom
Copy link
Author

marinasundstrom commented Aug 22, 2023
edited
Loading

I have learned that the component model doesn't handle the cases the same way with SSR as with Client. That makes sense, since it is about requests.

But the symptoms are still here in RC1, somewhere between component and middleware.

Not even app.UseStatusCodePagesWithRedirects("/error/{0}"); catches it as with other errors.

Still just a page with the text: Error: 401

Component file: https://github.com/marinasundstrom/Blazor8Test/blob/auth/src/Server/Pages/Auth.razor

@mkArtakMSFT mkArtakMSFT modified the milestones: 8.0-rc2, 8.0 Sep 29, 2023
@wtgodbe wtgodbe modified the milestones: 8.0, 8.0.0 Oct 3, 2023
@mkArtakMSFT mkArtakMSFT modified the milestones: 8.0.0, .NET 9 Planning Oct 10, 2023
@ghost
Copy link

ghost commented Oct 10, 2023

To learn more about what this message means, what to expect next, and how this issue will be handled you can read our Triage Process document.
We're moving this issue to the .NET 9 Planning milestone for future evaluation / consideration. Because it's not immediately obvious what is causing this behavior, we would like to keep this around to collect more feedback, which can later help us determine how to handle this. We will re-evaluate this issue, during our next planning meeting(s).
If we later determine, that the issue has no community involvement, or it's very rare and low-impact issue, we will close it - so that the team can focus on more important and high impact work.

@halter73 halter73 mentioned this issue Nov 4, 2023
Open
@halter73
Copy link
Member

halter73 commented Nov 5, 2023

WebApplication's automatic UseAuthorization() insertion happens before the user-configured UseStatusCodePagesWithRedirecte(). By adding UseAuthorization() explicitly, we can ensure UseStatusCodePagesWithRedirecte() "sees" unauthorized requests.

https://learn.microsoft.com/en-us/aspnet/core/fundamentals/minimal-apis/middleware?view=aspnetcore-8.0

I submitted a PR to your github repo to fix the issue. marinasundstrom/Blazor8Test#3

I don't think this is a Blazor specific issue, but I do wonder if WebApplication could be a little smarter and insert UserAuthorization after UseStatusCodePages if it's being used, because this seems really easy to mess up. I don't want to make the automatic middleware initialization much more complicated than it already is though.

@halter73 halter73 added investigate area-hosting Includes Hosting area-middleware Includes: URL rewrite, redirect, response cache/compression, session, and other general middlewares and removed investigate area-blazor Includes: Blazor, Razor Components labels Nov 5, 2023
@halter73 halter73 removed their assignment Nov 5, 2023
@halter73 halter73 changed the title AuthorizeRouteView doesn't play well with Router in Server-side rendered Blazor app WebApplication.UseStatusCodePages() cannot handle unauthorized requests without explicit UseAuthorization() call Nov 5, 2023
@dotnet-policy-service dotnet-policy-service bot added the pending-ci-rerun When assigned to a PR indicates that the CI checks should be rerun label Feb 6, 2024
@wtgodbe wtgodbe removed the pending-ci-rerun When assigned to a PR indicates that the CI checks should be rerun label Feb 6, 2024
@dotnet-policy-service dotnet-policy-service bot added the pending-ci-rerun When assigned to a PR indicates that the CI checks should be rerun label Feb 6, 2024
@wtgodbe wtgodbe removed the pending-ci-rerun When assigned to a PR indicates that the CI checks should be rerun label Feb 13, 2024
@dotnet dotnet deleted a comment from dotnet-policy-service bot Feb 13, 2024
@dotnet dotnet deleted a comment from dotnet-policy-service bot Feb 13, 2024
@danroth27 danroth27 modified the milestones: .NET 9 Planning, Backlog Feb 5, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area-hosting Includes Hosting area-middleware Includes: URL rewrite, redirect, response cache/compression, session, and other general middlewares
Projects
None yet
Milestone
Backlog
Development

No branches or pull requests
6 participants
@halter73 @marinasundstrom @danroth27 @javiercn @wtgodbe @mkArtakMSFT