Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
30 changes: 20 additions & 10 deletions src/Umbraco.Cms.Api.Management/OpenApi.json

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Original file line number Diff line number Diff line change
Expand Up @@ -26,11 +26,20 @@
OpenApiOperationTransformerContext context,
CancellationToken cancellationToken)
{
if (context.Description.ActionDescriptor is not ControllerActionDescriptor description ||
description.MethodInfo.GetCustomAttributes(true).Any(x => x is AllowAnonymousAttribute) ||
if (context.Description.ActionDescriptor is not ControllerActionDescriptor description)
{
return Task.CompletedTask;
}

if (description.MethodInfo.GetCustomAttributes(true).Any(x => x is AllowAnonymousAttribute) ||

Check notice on line 34 in src/Umbraco.Cms.Api.Management/OpenApi/Transformers/BackOfficeSecurityRequirementsTransformer.cs

View check run for this annotation

CodeScene Delta Analysis / CodeScene Code Health Review (v18/dev)

✅ No longer an issue: Complex Conditional

TransformAsync no longer has a complex conditional
description.MethodInfo.DeclaringType?.GetCustomAttributes(true).Any(x => x is AllowAnonymousAttribute) ==
true)
{
// Explicitly clear security on anonymous operations so they override the document-level
// security requirement added below. Without this, OpenAPI consumers (including the
// generated backoffice SDK) treat these endpoints as authenticated and attach a Bearer
// token, which triggers a /token refresh before the user has logged in.
operation.Security = [];
Comment thread
lauraneto marked this conversation as resolved.
return Task.CompletedTask;
Comment thread
lauraneto marked this conversation as resolved.
}

Expand Down
60 changes: 0 additions & 60 deletions src/Umbraco.Web.UI.Client/src/packages/core/backend-api/sdk.gen.ts

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
using System.Reflection;

Check notice on line 1 in tests/Umbraco.Tests.UnitTests/Umbraco.Cms.Api.Management/OpenApi/BackOfficeSecurityRequirementsTransformerTests.cs

View check run for this annotation

CodeScene Delta Analysis / CodeScene Code Health Review (v18/dev)

✅ Getting better: Code Duplication

reduced similar code in: TransformAsync_Operation_Skips_AllowAnonymous_Controllers,TransformAsync_Operation_Skips_AllowAnonymous_Methods. Avoid duplicated, aka copy-pasted, code inside the module. More duplication lowers the code health.
using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Http;
using Microsoft.AspNetCore.Mvc;
Expand Down Expand Up @@ -109,7 +109,7 @@
#region Operation Transformer Tests

[Test]
public async Task TransformAsync_Operation_Skips_AllowAnonymous_Methods()
public async Task TransformAsync_Operation_Overrides_Security_For_AllowAnonymous_Methods()
{
// Arrange
var operation = new OpenApiOperation();
Expand All @@ -134,13 +134,14 @@
// Act
await _transformer.TransformAsync(operation, context, CancellationToken.None);

// Assert - Should not add 401 response or security
// Assert - Should not add 401 response, and security must be an empty list to override document-level security
Assert.IsFalse(operation.Responses?.ContainsKey(StatusCodes.Status401Unauthorized.ToString()) ?? false);
Assert.IsNull(operation.Security);
Assert.IsNotNull(operation.Security);
Assert.IsEmpty(operation.Security);
}

[Test]
public async Task TransformAsync_Operation_Skips_AllowAnonymous_Controllers()
public async Task TransformAsync_Operation_Overrides_Security_For_AllowAnonymous_Controllers()
{
// Arrange
var operation = new OpenApiOperation();
Expand All @@ -165,9 +166,10 @@
// Act
await _transformer.TransformAsync(operation, context, CancellationToken.None);

// Assert - Should not add 401 response or security
// Assert - Should not add 401 response, and security must be an empty list to override document-level security
Assert.IsFalse(operation.Responses?.ContainsKey(StatusCodes.Status401Unauthorized.ToString()) ?? false);
Assert.IsNull(operation.Security);
Assert.IsNotNull(operation.Security);
Assert.IsEmpty(operation.Security);
}

[Test]
Expand Down
Loading