Improvements to the OpenAPI Docs #14754
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
This PR ensures that the endpoints in the management API, reports it can return the following statuses
AllowAnonymousAttribute
- This is the same logic that already shows the authentication "lock" symbolAuthorizeAttribute
ManagementApiControllerBase
will always ensure you have access to backoffice and can disable the controller. If other are present, there is a risk the user do not have access, and thereby a 403 returned.IAuthorizationService
, as all dynamic policies will use this pattern. Also here there is a risk the user do not have access to a given resource and thereby a 403 returned.Furthermore, we also ensure the APIs only accept the
application/json
header, and notplain/text
and other defaults.Test
Bonus
I also tested what happens if I am authenticated but I remove all the tokens from the database. In that case a 401 is returned as expected.