Update HTTP endpoint authorization handler

The default authorization handler for HTTP endpoints is now the AuthenticationBasedHttpEndpointAuthorizationHandler instead of the AllowAnonymousHttpEndpointAuthorizationHandler. The configuration was updated in HttpFeature.cs and the override in Program.cs was removed. This provides more security to HTTP endpoints by requiring authentication.
faith0831 · Dec 28, 2023 · 2a5cf04 · 2a5cf04
1 parent fac292a
commit 2a5cf04
Show file tree

Hide file tree

Showing 2 changed files with 1 addition and 2 deletions.
diff --git a/src/bundles/Elsa.Server.Web/Program.cs b/src/bundles/Elsa.Server.Web/Program.cs
@@ -175,7 +175,6 @@
  .UseHttp(http =>
  {
  http.ConfigureHttpOptions = options => configuration.GetSection("Http").Bind(options);
- http.HttpEndpointAuthorizationHandler = sp => sp.GetRequiredService<AllowAnonymousHttpEndpointAuthorizationHandler>();
  })
  .UseEmail(email => email.ConfigureOptions = options => configuration.GetSection("Smtp").Bind(options))
  .UseAlterations(alterations =>

diff --git a/src/modules/Elsa.Http/Features/HttpFeature.cs b/src/modules/Elsa.Http/Features/HttpFeature.cs
@@ -53,7 +53,7 @@ public HttpFeature(IModule module) : base(module)
  /// <summary>
  /// A delegate that is invoked when authorizing an inbound HTTP request.
  /// </summary>
- public Func<IServiceProvider, IHttpEndpointAuthorizationHandler> HttpEndpointAuthorizationHandler { get; set; } = sp => sp.GetRequiredService<AllowAnonymousHttpEndpointAuthorizationHandler>();
+ public Func<IServiceProvider, IHttpEndpointAuthorizationHandler> HttpEndpointAuthorizationHandler { get; set; } = sp => sp.GetRequiredService<AuthenticationBasedHttpEndpointAuthorizationHandler>();
 
  /// <summary>
  /// A delegate that is invoked when an HTTP workflow faults.