SkipStatusCodePagesAttribute should run before AuthorizeAttribute

Question

SkipStatusCodePagesAttribute should run before AuthorizeAttribute

huan086 opened this issue 6 years ago · 6 comments

Is your feature request related to a problem? Please describe.

[SkipStatusCodePages] is meant to be used in actions that are API calls, so that the StatusCodePagesMiddleware does not interfere with the response status code and body.

API actions are almost always decorated with [Authorize]. When user is not authorized, AuthorizeFilter short circuits and returns 401. Due to the short circuit, IResourceFilter, which SkipStatusCodePagesAttribute inherits, does not run, thus StatusCodePagesMiddleware runs and modifies the status code and body. The API caller does not receive 401 with empty body.

Describe the solution you'd like

Ideally, the StatusCodePagesMiddleware does not run when [SkipStatusCodePages], thus the API caller receives 401 with empty body.

This can be achieved by having SkipStatusCodePagesAttribute inherit from IAlwaysRunResultFilter instead.

Describe alternatives you've considered

Modifying the middleware pipeline with custom middleware. But this dissociates the action that needs SkipStatusCodePages from the code that does the work

Additional context

Answer 1 · 2019-05-20T17:20:45.000Z

Thanks for contacting us, @huan086. Would you like to send a PR for this? We'd happily consider it!

Answer 2 · 2019-05-30T04:51:38.000Z

I'm thinking we need to implement IOrderedFilter as well, so that when multiple IAlwaysRunResultFilter are present and some of them short-circuits, it'll be possible to make sure SkipStatusCodePagesAttribute runs first. @mkArtakMSFT what do you think?

Answer 3 · 2020-05-30T12:28:56.000Z

@mkArtakMSFT is there a chance this bug could be fixed in 5.0? It sadly makes [SkipStatusCodePages] hard to use in mixed API/views applications using token authentication.

Answer 4 · 2020-06-01T15:39:08.000Z

@kevinchalet, as much as I wish we could, I don't think we will get to this. Not during 5.0 timeline.

Answer 5 · 2020-11-18T16:27:08.000Z

Any update on this? Currently I'm using a custom middleware. It seems a little bit weird but it's working. I can pass my custom options into the middleware constructor.

public class ApiStatusCodeMiddleware
    {
        private readonly RequestDelegate _next;

        public ApiStatusCodeMiddleware(RequestDelegate next)
        {
            _next = next;
        }

        public async Task InvokeAsync(HttpContext context)
        {
            await _next(context);
            var isApiRequest = context.Request.Path.StartsWithSegments("/api");
            if (isApiRequest && context.Response.StatusCode >= 400 && context.Response.StatusCode < 500)
            {
                using var body = context.Response.Body;
                body.Flush();
            }
        }

    }

Answer 6 · 2021-04-29T23:06:50.000Z

Hello, will this perhaps be fixed in 6?

We just ran into this and burned a day as our develop environment worked fine, but then we hit issues with UseStatusCodePagesWithReExecute called in our staging environment. Nothing about this behavior is in the docs that we could find either, but if it is there and we missed it, we apologize.