Hi,
we created a custom request filter attribute to allow API Key authentication on certain endpoints.
It filters out an HTTP Header and sets the session.IsAuthenticated to true.
The attribute has a lower priority value than the existing Authentication attributes as it is supposed to run before them.
If we put the attribute on the Service class together with the [Authenticate] attribute, our attribute is executed first and everything runs fine.
If we put the attribute on the method together with the [Authenticate] and [RequiredRole] attribute, our attribute is not executed first, which means that the [Authenticate] or [RequiredRole] attributes are executed first and we end up with a 401.
During debugging we found out that Method level request filter attributes are not sorted by priority, although the documentation says:
Note: Method-level filter attributes are always executed just before/after the Service, i.e. the Priority is only scoped and sorted between other method-level attributes.
I provided a screenshot which shows that the order in the RequestFilters list is random during the Execute method in the ServiceRunner class.
We are aware that we could put our attribute on the DTO or just leave the attribute on the class, but we wanted to know if this is a bug or an intended behavior from ServiceStack.
Thanks in advance for your help