Merge pull request #102 from DuendeSoftware/dom/metadata-orderingD

leastprivilege · web-flow · commit 9cddd16e5a41 · 2022-06-13T15:41:07.000+02:00
Fix metadata order parsing
diff --git a/src/Duende.Bff/BffMiddleware.cs b/src/Duende.Bff/BffMiddleware.cs
@@ -51,19 +51,15 @@ public async Task Invoke(HttpContext context)
             return;
         }
 
-        var localEndpointMetadata = endpoint.Metadata.GetOrderedMetadata<BffApiAttribute>();
-        if (localEndpointMetadata.Any())
+        var localEndpointMetadata = endpoint.Metadata.GetMetadata<BffApiAttribute>();
+        if (localEndpointMetadata is { RequireAntiForgeryCheck: true })
         {
-            var requireLocalAntiForgeryCheck = localEndpointMetadata.First().RequireAntiForgeryCheck;
-            if (requireLocalAntiForgeryCheck)
+            if (!context.CheckAntiForgeryHeader(_options))
             {
-                if (!context.CheckAntiForgeryHeader(_options))
-                {
-                    _logger.AntiForgeryValidationFailed(context.Request.Path);
+                _logger.AntiForgeryValidationFailed(context.Request.Path);
 
-                    context.Response.StatusCode = 401;
-                    return;
-                }
+                context.Response.StatusCode = 401;
+                return;
             }
         }
         else
@@ -82,7 +78,7 @@ public async Task Invoke(HttpContext context)
         }
 
 #if NETCOREAPP3_1
-        context.Response.OnStarting(() => 
+        context.Response.OnStarting(() =>
         {
             // outbound: for .NET Core 3.1 - we assume that an API will never return a 302
             // if a 302 is returned, that must be the challenge to the OIDC provider
@@ -101,6 +97,7 @@ public async Task Invoke(HttpContext context)
                     context.Response.Headers.Remove("Set-Cookie");
                 }
             }
+
             return Task.CompletedTask;
         });
 #endif

Original file line number	Diff line number	Diff line change
`@@ -51,19 +51,15 @@ public async Task Invoke(HttpContext context)`
`51`	`51`	`return;`
`52`	`52`	`}`
`53`	`53`
`54`		`- var localEndpointMetadata = endpoint.Metadata.GetOrderedMetadata<BffApiAttribute>();`
`55`		`- if (localEndpointMetadata.Any())`
	`54`	`+ var localEndpointMetadata = endpoint.Metadata.GetMetadata<BffApiAttribute>();`
	`55`	`+ if (localEndpointMetadata is { RequireAntiForgeryCheck: true })`
`56`	`56`	`{`
`57`		`- var requireLocalAntiForgeryCheck = localEndpointMetadata.First().RequireAntiForgeryCheck;`
`58`		`- if (requireLocalAntiForgeryCheck)`
	`57`	`+ if (!context.CheckAntiForgeryHeader(_options))`
`59`	`58`	`{`
`60`		`- if (!context.CheckAntiForgeryHeader(_options))`
`61`		`- {`
`62`		`- _logger.AntiForgeryValidationFailed(context.Request.Path);`
	`59`	`+ _logger.AntiForgeryValidationFailed(context.Request.Path);`
`63`	`60`
`64`		`- context.Response.StatusCode = 401;`
`65`		`- return;`
`66`		`- }`
	`61`	`+ context.Response.StatusCode = 401;`
	`62`	`+ return;`
`67`	`63`	`}`
`68`	`64`	`}`
`69`	`65`	`else`
`@@ -82,7 +78,7 @@ public async Task Invoke(HttpContext context)`
`82`	`78`	`}`
`83`	`79`
`84`	`80`	`#if NETCOREAPP3_1`
`85`		`- context.Response.OnStarting(() =>`
	`81`	`+ context.Response.OnStarting(() =>`
`86`	`82`	`{`
`87`	`83`	`// outbound: for .NET Core 3.1 - we assume that an API will never return a 302`
`88`	`84`	`// if a 302 is returned, that must be the challenge to the OIDC provider`
`@@ -101,6 +97,7 @@ public async Task Invoke(HttpContext context)`
`101`	`97`	`context.Response.Headers.Remove("Set-Cookie");`
`102`	`98`	`}`
`103`	`99`	`}`
	`100`	`+`
`104`	`101`	`return Task.CompletedTask;`
`105`	`102`	`});`
`106`	`103`	`#endif`