Default API Security does not work like it should

[shainegordon]

What happened?

When you configure the project setting Api Settings -> Default API Security -> Secured by default, then any roles defined in the Services designer, on the Secured stereotype are not applied.

This is very easy to reproduce.

1. Set Api Settings -> Default API Security to Unsecured by default
2. Create/expose an endpoint
3. Apply stereotype "Secured"
4. Set value to "Admin"
5. Run software factory
6. This will add an [Authorize(Roles = "Admin")] to the controller action.
7. Change the project setting from Unsecured by default to Secured by default.
8. Run the software factory.
9. This will now REMOVE [Authorize(Roles = "Admin")] from the controller action, and add [Authorize] to the controller class.

The expected behaviour here, with Secured by default, is that the class gets the [Authorize] attribute AND the controller action gets a [Authorize(Roles = "Admin")], if required.

Even better, is that Secured by default actually applies requiring authorization at the middleware layer

e.g.

app.UseEndpoints(endpoints =>
{
       endpoints.MapDefaultHealthChecks();
       endpoints.MapControllers();
});

becomes

app.UseEndpoints(endpoints =>
{
       endpoints.MapDefaultHealthChecks();
       endpoints.MapControllers().RequireAuthorization();
});

What version of Intent Architect are you using?

4.0.6

Additional information

No response

[JonathanLydall]

Hi @shainegordon,

Thanks for logging this, we have added this as a bug on our backlog and will be looking at it as soon as we are able. We will keep this issue open and update it when a fix is available.