[Authenticate] don't work at service level

sharak · November 3, 2020, 1:09pm

When I put the [Authenticate] attribute at class level, it seems that I can call all the methods inside even if i’m not authentified.

// My service
[Authenticate]
public class ExerciceService : ServiceStack.Service
{
    public void Delete(DeleteExercice request)
    {
    }
}

// My AppHost Configure()
var dbFactory = container.Resolve<IDbConnectionFactory>();
container.Register<IAuthRepository>(c => new OrmLiteAuthRepository(dbFactory));

Plugins.Add(new AuthFeature(() => new AuthUserSession(),
    new IAuthProvider[] {
        new CredentialsAuthProvider(AppSettings)
    }));

But if I move the [Authenticate] attribute at the Delete() method level, I works, I cannot call the DeleteExercice request if i’m not authentified

I use Servicestack 5.9.2 in a NetCore 3.1 application

edit:
I send my requests via the Gateway.Send() method inside a ServiceStackController.

public class ExerciceController : ServiceStackController
{
    [HttpDelete]
    public IActionResult DeleteExercice(int id)
    {
        Gateway.Send(new DeleteExercice
        {
            Id = id
        });

        return NoContent();
    }
}

What do I do wrong ?
Thank you

mythz · November 3, 2020, 2:42pm

Internal Service Gateway requests do not execute the Global Request Filters for external HTTP requests, they do Execute Gateway Request/Response filters as well as Validation + Action filters so you will also be able to use the Declarative Validation Authorization Attributes on Request DTOs.