Fix endpoints in StaticFileAuth sample

[Tratcher]

Fixes #43274

Two changes broke this sample:

• Changing how static file middleware interact with endpoints: [Breaking change]: Static files, default document, and directory browsing middleware no longer no-op when an endpoint with a null RequestDelegate is active aspnet/Announcements#488
• The Auth Resource is now an HttpContext, not an Endpoint. https://github.com/dotnet/aspnetcore/pull/22672/files

Putting this fix in main (8) since there's no product or test impact.

@hylinux

[DamianEdwards]

Interesting. Do you think the way this sample implements auth for static files is still idiomatic? Should we consider pointing to something like https://github.com/DamianEdwards/AspNetCorePathAuthorization instead? Also, how does this sample compare to the approach outlined in the docs?

[Tratcher]

The FallbackPolicy approach isn't granular, and the FileResult approach is too granular, you have to map out your whole file structure.

The path authorization approach is a reasonable compromise, are you planning to integrate that for 8?

[DamianEdwards]

To be clear, you're saying the approaches in the docs are problematic (too broad, too granular)?

The path authorization approach via metadata-only endpoints is workable in .NET 7+. We could consider adding first-class support for such endpoints in .NET 8 (perhaps avoiding the per-request MatcherPolicy and instead modifying the route graph nodes themselves) which would allow efficient path-based rules for AuthZ and possibly output caching too. I'll log an issue to cover that.

[Tratcher]

To be clear, you're saying the approaches in the docs are problematic (too broad, too granular)?

I would call them limited, or not dynamic. Authorizing everything is ok if that's what you want. Authorizing a single known file is ok too. But those samples don't allow any in-between. E.g. you can't restrict who as access to which files without hard coding every file.

I wouldn't want this sample to depend on yours until it was integrated in, it's too much to code people would need to copy.

[Tratcher]

@DamianEdwards @halter73 Can you approve this fix reflecting the current reality and we'll revisit this sample after #43642?

[halter73]

This led me to this:

aspnetcore/src/Middleware/StaticFiles/src/StaticFileMiddleware.cs

Lines 94 to 95 in 2c55745

	// Return true because we only want to run if there is no endpoint delegate.
	private static bool ValidateNoEndpointDelegate(HttpContext context) => context.GetEndpoint()?.RequestDelegate is null;

Gross! It's actually pretty clever though. Is this anywhere in our real docs?

[Tratcher]

It's not in the docs, that's Damien's 7.0 change that broke this sample.