How to create Fall-Through RequestFilterAttribute

Currently I have a custom RequestFilterAttribute on services requiring a customized HMAC authentication. However, this authentication is only required for 3rd party developers. I want to be able to access these same functions without this filter when the requests are coming from our site directly. Sometimes the requests would be “guest” and sometimes they would require authentication via the built in auth providers.

So, my question is how (or) can I apply multiple attributes that allow this? My original thought is somehow allowing my custom filter to ‘fall-through’ when the request isn’t structured as necessary for my authentication… but how do I make it the first run filter? Are there other better solutions? Currently I double up on service definitions with slightly different request DTOs, and that’s just a mess.

There is no “fall-through” Request Filter Attributes. Not really sure what feature you’re expecting that could help with this, Filter attributes are statically defined so there’s no way to remove them but inside your custom filter attribute impl you can decide whether or not to validate the request or not, e.g. in your first request Filter you could set a flag:

req.Items["IgnoreValidation"] = true;

Which tells the other filters to not validate, e.g:

if (!req.Items.ContainsKey("IgnoreValidation"))

Or maybe just use a single attribute that does everything you need or avoid attributes altogether and perform necessary validation inside a Service (i.e. calling a shared method).

Otherwise if you’re creating different Service Endpoints, look at Service Gateway for how you can call/reuse existing Services which should reduce the effort required to reuse Services.

I guess fall-through wasn’t the best way to describe it. I was kind of hoping the priorities values could let me choose which filter is applied first. And then use the Items (as you suggest) to add some additional info. I think this will be easiest.

In the request object is it safe to use the provided domain as valid, or is it possible to spoof from a client?

There is a Priority property on Filter Attributes which does let you control the order the filters are applied.

IRequest.Items is a new Dictionary attached to each request which is only populated internally and used to share data throughout the Request Pipeline.

Hmm, it didn’t seem to apply them in order - I’ll have to do some additional testing. Thanks though.

It should apply attributes declared at the same level in order from lowest to highest, Attributes with Priority<0 are executed before Global Request Filters. Here’s an Priority Request Filter Attribute example.