Re-run routing for implicit middlewares that require endpoints

Author: captainsafia

src/Antiforgery/src/AntiforgeryApplicationBuilderExtensions.cs

@@ -3,6 +3,8 @@
 
 using Microsoft.AspNetCore.Antiforgery;
 using Microsoft.AspNetCore.Antiforgery.Internal;
+using Microsoft.AspNetCore.Routing;
+using Microsoft.Extensions.DependencyInjection;
 
 namespace Microsoft.AspNetCore.Builder;
 
@@ -24,6 +26,16 @@ public static IApplicationBuilder UseAntiforgery(this IApplicationBuilder builde
         builder.VerifyAntiforgeryServicesAreRegistered();
 
         builder.Properties[AntiforgeryMiddlewareSetKey] = true;
+
+        if (builder.Properties.TryGetValue(RerouteHelper.GlobalRouteBuilderKey, out var routeBuilder) && routeBuilder is not null)
+        {
+            return builder.Use(next =>
+            {
+                var newNext = RerouteHelper.Reroute(builder, routeBuilder, next);
+                var antiforgery = builder.ApplicationServices.GetRequiredService<IAntiforgery>();
+                return new AntiforgeryMiddleware(antiforgery, newNext).Invoke;
+            });
+        }
         builder.UseMiddleware<AntiforgeryMiddleware>();
 
         return builder;

src/Antiforgery/src/Microsoft.AspNetCore.Antiforgery.csproj

@@ -26,5 +26,6 @@
 
   <ItemGroup>
     <Compile Include="$(SharedSourceRoot)HttpMethodExtensions.cs" LinkBase="Shared"/>
+    <Compile Include="$(SharedSourceRoot)Reroute.cs" LinkBase="Shared"/>
   </ItemGroup>
 </Project>

src/DefaultBuilder/test/Microsoft.AspNetCore.Tests/WebApplicationTests.cs

@@ -2697,7 +2697,7 @@ public void DebugView_UseMiddleware_HasMiddleware()
         // 3. Generated delegate name from app.Use(...)
         Assert.Collection(debugView.Middleware,
             m => Assert.Equal(typeof(MiddlewareWithInterface).FullName, m),
-            m => Assert.Equal("Microsoft.AspNetCore.Authentication.AuthenticationMiddleware", m),
+            m => Assert.StartsWith("Microsoft.AspNetCore.Builder.AuthAppBuilderExtensions", m),
             m =>
             {
                 Assert.Contains(nameof(DebugView_UseMiddleware_HasMiddleware), m);
@@ -2747,8 +2747,8 @@ public async Task DebugView_UseMiddleware_HasEndpointsAndAuth_Run_HasAutomaticMi
         Assert.Collection(debugView.Middleware,
             m => Assert.Equal("Microsoft.AspNetCore.HostFiltering.HostFilteringMiddleware", m),
             m => Assert.Equal("Microsoft.AspNetCore.Routing.EndpointRoutingMiddleware", m),
-            m => Assert.Equal("Microsoft.AspNetCore.Authentication.AuthenticationMiddleware", m),
-            m => Assert.Equal("Microsoft.AspNetCore.Authorization.AuthorizationMiddlewareInternal", m),
+            m => Assert.StartsWith("Microsoft.AspNetCore.Builder.AuthAppBuilderExtensions", m),
+            m => Assert.StartsWith("Microsoft.AspNetCore.Builder.AuthorizationAppBuilderExtensions", m),
             m => Assert.Equal(typeof(MiddlewareWithInterface).FullName, m),
             m => Assert.Equal("Microsoft.AspNetCore.Routing.EndpointMiddleware", m));
     }
@@ -2838,6 +2838,176 @@ public async Task DebugView_Endpoints_UseEndpoints_AvailableBeforeAndAfterStart(
             ep => Assert.Equal("/hello", ep.Metadata.GetRequiredMetadata<IRouteDiagnosticsMetadata>().Route));
     }
 
+    [Fact]
+    public async Task ImplicitMiddlewares_RunAfterExplicitRouting_MapGet()
+    {
+        var builder = WebApplication.CreateBuilder();
+        builder.WebHost.UseTestServer();
+        builder.Services.AddAuthentication("testSchemeName")
+            .AddScheme<AuthenticationSchemeOptions, UberHandler>("testSchemeName", "testDisplayName", _ => { });
+        builder.Services.AddAuthorization();
+        await using var app = builder.Build();
+        app.UseRouting();
+        app.MapGet("/", (HttpContext context, string username) =>
+        {
+            Assert.NotNull(context.Items["__AuthorizationMiddlewareWithEndpointInvoked"]);
+            return $"Hello {username}!";
+        }).RequireAuthorization();
+
+        await app.StartAsync();
+
+        var client = app.GetTestClient();
+        var exception = await Record.ExceptionAsync(async () => await client.GetAsync("/?username=test"));
+        Assert.Null(exception);
+    }
+
+    [Fact]
+    public async Task ImplicitMiddlewares_RunBeforeImplicitRouting_TerminalMiddleware()
+    {
+        var builder = WebApplication.CreateBuilder();
+        builder.WebHost.UseTestServer();
+        builder.Services.AddAuthentication("testSchemeName")
+            .AddScheme<AuthenticationSchemeOptions, UberHandler>("testSchemeName", "testDisplayName", _ => { });
+        builder.Services.AddAuthorization();
+        await using var app = builder.Build();
+        app.Run((HttpContext context) =>
+        {
+            Assert.NotNull(context.Features.Get<IAuthenticationFeature>());
+            return context.Response.WriteAsync($"Hello {context.Request.Query["username"]}!");
+        });
+
+        await app.StartAsync();
+
+        var client = app.GetTestClient();
+        var response = await client.GetAsync("/?username=test");
+        response.EnsureSuccessStatusCode();
+        Assert.Equal("Hello test!", await response.Content.ReadAsStringAsync());
+    }
+
+    [Fact]
+    public async Task ImplicitMiddlewares_RunBeforeExplicitRouting_TerminalMiddleware()
+    {
+        var builder = WebApplication.CreateBuilder();
+        builder.WebHost.UseTestServer();
+        builder.Services.AddAuthentication("testSchemeName")
+            .AddScheme<AuthenticationSchemeOptions, UberHandler>("testSchemeName", "testDisplayName", _ => { });
+        builder.Services.AddAuthorization();
+        await using var app = builder.Build();
+
+        app.Run((HttpContext context) =>
+        {
+            Assert.NotNull(context.Features.Get<IAuthenticationFeature>());
+            return context.Response.WriteAsync($"Hello {context.Request.Query["username"]}!");
+        });
+
+        app.UseRouting();
+
+        await app.StartAsync();
+
+        var client = app.GetTestClient();
+        var response = await client.GetAsync("/?username=test");
+        response.EnsureSuccessStatusCode();
+        Assert.Equal("Hello test!", await response.Content.ReadAsStringAsync());
+    }
+
+    [Fact]
+    public async Task ImplicitMiddlewares_RunBeforeExplicitRouting_TerminalMiddleware_AfterUseRouting()
+    {
+        var builder = WebApplication.CreateBuilder();
+        builder.WebHost.UseTestServer();
+        builder.Services.AddAuthentication("testSchemeName")
+            .AddScheme<AuthenticationSchemeOptions, UberHandler>("testSchemeName", "testDisplayName", _ => { });
+        builder.Services.AddAuthorization();
+        await using var app = builder.Build();
+
+        app.UseRouting();
+
+        app.Run((HttpContext context) =>
+        {
+            Assert.NotNull(context.Features.Get<IAuthenticationFeature>());
+            return context.Response.WriteAsync($"Hello {context.Request.Query["username"]}!");
+        });
+
+        await app.StartAsync();
+
+        var client = app.GetTestClient();
+        var response = await client.GetAsync("/?username=test");
+        response.EnsureSuccessStatusCode();
+        Assert.Equal("Hello test!", await response.Content.ReadAsStringAsync());
+    }
+
+    [Fact]
+    public async Task ImplicitMiddlewares_RunBetween_ExplicitRouting_TerminalMiddlewareMapGet()
+    {
+        var builder = WebApplication.CreateBuilder();
+        builder.WebHost.UseTestServer();
+        builder.Services.AddAuthentication("testSchemeName")
+            .AddScheme<AuthenticationSchemeOptions, UberHandler>("testSchemeName", "testDisplayName", _ => { });
+        builder.Services.AddAuthorization();
+        await using var app = builder.Build();
+
+        app.UseRouting();
+
+        app.Run((HttpContext context) =>
+        {
+            Assert.NotNull(context.Features.Get<IAuthenticationFeature>());
+            return context.Response.WriteAsync($"Hello {context.Request.Query["username"]}!");
+        });
+
+        app.MapGet("/endpoint", (HttpContext context, string username) =>
+        {
+            Assert.NotNull(context.Items["__AuthorizationMiddlewareWithEndpointInvoked"]);
+            Assert.NotNull(context.Features.Get<IAuthenticationFeature>());
+            return $"Hello {username}!";
+        }).AllowAnonymous();
+
+        await app.StartAsync();
+
+        var client = app.GetTestClient();
+        var response = await client.GetAsync("/?username=test");
+        response.EnsureSuccessStatusCode();
+        Assert.Equal("Hello test!", await response.Content.ReadAsStringAsync());
+
+        var endpointResponse = await client.GetAsync("/endpoint?username=test");
+        endpointResponse.EnsureSuccessStatusCode();
+        Assert.Equal("Hello test!", await endpointResponse.Content.ReadAsStringAsync());
+    }
+
+    [Fact]
+    public async Task ImplicitMiddlewares_RunBetween_TerminalMiddlewareMapGet()
+    {
+        var builder = WebApplication.CreateBuilder();
+        builder.WebHost.UseTestServer();
+        builder.Services.AddAuthentication("testSchemeName")
+            .AddScheme<AuthenticationSchemeOptions, UberHandler>("testSchemeName", "testDisplayName", _ => { });
+        builder.Services.AddAuthorization();
+        await using var app = builder.Build();
+
+        app.Run((HttpContext context) =>
+        {
+            Assert.NotNull(context.Features.Get<IAuthenticationFeature>());
+            return context.Response.WriteAsync($"Hello {context.Request.Query["username"]}!");
+        });
+
+        app.MapGet("/endpoint", (HttpContext context, string username) =>
+        {
+            Assert.NotNull(context.Items["__AuthorizationMiddlewareWithEndpointInvoked"]);
+            Assert.NotNull(context.Features.Get<IAuthenticationFeature>());
+            return $"Hello {username}!";
+        }).AllowAnonymous();
+
+        await app.StartAsync();
+
+        var client = app.GetTestClient();
+        var response = await client.GetAsync("/?username=test");
+        response.EnsureSuccessStatusCode();
+        Assert.Equal("Hello test!", await response.Content.ReadAsStringAsync());
+
+        var endpointResponse = await client.GetAsync("/endpoint?username=test");
+        endpointResponse.EnsureSuccessStatusCode();
+        Assert.Equal("Hello test!", await endpointResponse.Content.ReadAsStringAsync());
+    }
+
     private class MiddlewareWithInterface : IMiddleware
     {
         public Task InvokeAsync(HttpContext context, RequestDelegate next)

src/Security/Authentication/Core/src/AuthAppBuilderExtensions.cs

@@ -2,6 +2,8 @@
 // The .NET Foundation licenses this file to you under the MIT license.
 
 using Microsoft.AspNetCore.Authentication;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.AspNetCore.Routing;
 
 namespace Microsoft.AspNetCore.Builder;
 
@@ -22,6 +24,17 @@ public static IApplicationBuilder UseAuthentication(this IApplicationBuilder app
         ArgumentNullException.ThrowIfNull(app);
 
         app.Properties[AuthenticationMiddlewareSetKey] = true;
+
+        if (app.Properties.TryGetValue(RerouteHelper.GlobalRouteBuilderKey, out var routeBuilder) && routeBuilder is not null)
+        {
+            return app.Use(next =>
+            {
+                var newNext = RerouteHelper.Reroute(app, routeBuilder, next);
+                var authenticationSchemeProvider = app.ApplicationServices.GetRequiredService<IAuthenticationSchemeProvider>();
+                return new AuthenticationMiddleware(newNext, authenticationSchemeProvider).Invoke;
+            });
+        }
+
         return app.UseMiddleware<AuthenticationMiddleware>();
     }
 }

src/Security/Authentication/Core/src/Microsoft.AspNetCore.Authentication.csproj

@@ -12,6 +12,7 @@
 
   <ItemGroup>
     <Compile Include="$(SharedSourceRoot)SecurityHelper\**\*.cs" />
+    <Compile Include="$(SharedSourceRoot)Reroute.cs" />
   </ItemGroup>
 
   <ItemGroup>

src/Security/Authorization/Policy/src/AuthorizationAppBuilderExtensions.cs

@@ -3,7 +3,9 @@
 
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Authorization.Policy;
+using Microsoft.AspNetCore.Routing;
 using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Logging;
 
 namespace Microsoft.AspNetCore.Builder;
 
@@ -30,6 +32,21 @@ public static IApplicationBuilder UseAuthorization(this IApplicationBuilder app)
         VerifyServicesRegistered(app);
 
         app.Properties[AuthorizationMiddlewareSetKey] = true;
+
+        if (app.Properties.TryGetValue(RerouteHelper.GlobalRouteBuilderKey, out var routeBuilder) && routeBuilder is not null)
+        {
+            return app.Use(next =>
+            {
+                var newNext = RerouteHelper.Reroute(app, routeBuilder, next);
+                var authorizationPolicyProvider = app.ApplicationServices.GetRequiredService<IAuthorizationPolicyProvider>();
+                var loggerFactory = app.ApplicationServices.GetRequiredService<ILoggerFactory>();
+                return new AuthorizationMiddlewareInternal(newNext,
+                    app.ApplicationServices,
+                    authorizationPolicyProvider,
+                    loggerFactory.CreateLogger<AuthorizationMiddleware>()).Invoke;
+            });
+        }
+
         return app.UseMiddleware<AuthorizationMiddlewareInternal>();
     }
 

src/Security/Authorization/Policy/src/Microsoft.AspNetCore.Authorization.Policy.csproj

@@ -13,6 +13,7 @@
   <ItemGroup>
     <Compile Include="$(SharedSourceRoot)SecurityHelper\**\*.cs" />
     <Compile Include="..\..\..\..\Http\Routing\src\DataSourceDependentCache.cs" Link="DataSourceDependentCache.cs" />
+    <Compile Include="$(SharedSourceRoot)Reroute.cs" />
   </ItemGroup>
 
   <ItemGroup>