Is there a global interceptor to catch 403

ServiceStack Authentication
1

Is there a global interceptor to catch 403 errors to modify the error response object if an user JWT Token hasn’t permissions for the depending endpoint?

2

Have you read the Error Handling docs? It documents different handlers and filters available.

3

Yes I have read your doc but neither UncaughtExceptionHandlersAsync and ServiceExceptionHandlers nor OnExceptionTypeFilter doesn’t catch the 403.

4

They’re the only global filters available but they can’t catch Errors that are written directly to the Response.

Who is returning the 403 Response? Can you post the full HTTP Error Response (e.g. using Fiddler or Chrome WebInspector) so it can help track down the source of the error?

5

Is it possible to add base.CustomErrorHttpHandlers[HttpStatusCode.Forbidden] = …

6

Same as above, not if the request is short-circuited when the Error is written directly to the Response.

7 
 public class TripServices : Service
{
   
    public object Get(TripGet request)
    {
        return new TripGetResponse
        {
            Trip = new TripOut
            {
                Status = TripStatus.STARTED
            }                
        };
    }
  
}

 public class QueryBase
    {
     
        [ApiMember(Description = "Meta data from integrator.</a>", ParameterType = "query", DataType = "string", IsRequired = true)]
        public string Source { get; set; } 
    }

 [Route("/trips/{Id}", Summary = "Returns a single trip.", Notes = "Returns information for a Unique identifier.", Verbs = "GET")]
    public class TripGet : QueryBase, IReturn<TripGetResponse>
    {
        [ApiMember(Description = "Unique identifier representing a trip." , IsRequired = true, ParameterType = "path", DataType = "string")]
        public string Id { get; set; }
    }



 public class TripGetResponse
    {
        public TripGetResponse()
        {
            ResponseStatus = new ResponseStatus
            {
                Message = MessageConstants.RESPONSE_SUCCESS
            };
        }

        public ResponseStatus ResponseStatus { get; set; }

        public TripOut Trip { get; set; } 
    }

the permissions will be added with:

Type.GetType("Operations.TripGet,ServiceModel").AddAttributes(new RequiresAnyPermissionAttribute((new List<string>{ "TripGet", "Trip", "Integrator" }).ToArray()));

in the AppHost.

and the JWT Token has only the following Permissions

{
  "sub": 5,
  "iat": 1520876137,
  "exp": 1522085737,
  "email": "xxxx@if.com",
  "given_name": "xxxx-FirstName",
  "family_name": "xxxx-LastName",
  "name": "xxxx-DisplayName",
  "preferred_username": "xxxx",
  "perms": [
    "VehiclePositionPost"
  ]
}

and the error:

2018-03-12_20h04_37.png968×483 23 KB

8

Yeah the [RequireRole/Perm] attributes were short-circuiting requests with direct error responses but I’ve made a change in this commit so that they now call the new AppHost.HandleShortCircuitedErrors() API where they’ll route a new HttpError(res.StatusCode, res.StatusDescription) through any registered ServiceExceptionHandlers which you can use to return a custom ErrorResponse body, e.g:

this.ServiceExceptionHandlers.Add((httpReq, request, exception) => {

    if (httpReq.Response.StatusCode == 403)
    {
        return DtoUtils.CreateErrorResponse(request, new MyCustomException { ... });
        // can also return populated ErrorResponse DTO directly
        // return new ErrorResponse { ResponseStatus = new ResponseStatus { ... } };
    }

    return null; //continue with default Error Handling
});

This change is available from v5.0.3 that’s now available on MyGet.

9

Does that have any impact on the changes made here? RequestLogFeature doesn''t 404/403? Do I still need to set LimitToServiceRequests = false?

10

This doesn’t impact Request Logging, it’s just allowing short-circuited errors to call ServiceExceptionHandlers so they can have custom Response Bodies.

11

Nice thanks… that seems to be the best solution for 403 error response customizing.