Skip to content

Bug/options #130

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
ProgrammingByPermutation wants to merge 2 commits into from
Closed

Bug/options #130

ProgrammingByPermutation wants to merge 2 commits into from

Conversation

@ProgrammingByPermutation
Copy link
Collaborator

@ProgrammingByPermutation ProgrammingByPermutation commented Oct 8, 2025

We want to skip the auth check for OPTION requests that are sent. These
are just to test capabilities for CORS and do not do anything that is
relevant to authentication.

closes #40

@ProgrammingByPermutation
chore: formatting
335851b
@ProgrammingByPermutation
bug: fixing authenticating OPTIONS
3f91237 
We want to skip the auth check for OPTION requests that are sent. These
are just to test capabilities for CORS and do not do anything that is
relevant to authentication.

closes #40
github-advanced-security[bot]
github-advanced-security bot found potential problems Oct 8, 2025
View reviewed changes
src/Nullinside.Api.Common.AspNetCore/Middleware/BasicAuthenticationHandler.cs
/// <returns>The user and their roles if successful, <see cref="AuthenticateResult.Fail(string)" /> otherwise.</returns>
protected override async Task<AuthenticateResult> HandleAuthenticateAsync() {
// Skip options requests
if (Request.Method == "OPTIONS") {

Check failure

Code scanning / CodeQL

User-controlled bypass of sensitive method High

This condition guards a sensitive
action
Loading
, but a
user-provided value
Loading
controls it.

Copilot Autofix

AI about 2 months ago

To reduce the risk of user-controlled bypass of authentication, we need to remove or properly handle the condition that allows OPTIONS requests to skip authentication. The best practice is to handle OPTIONS requests at a different (earlier) layer, outside of the authentication handler—for example, by middleware that handles OPTIONS/CORS specifically, or by configuring endpoint authorization policies. If OPTIONS requests genuinely should always pass through unauthenticated, this should be enforced globally and securely. Otherwise, a malicious user can simply send OPTIONS requests to protected endpoints.
Steps:

  • In BasicAuthenticationHandler.cs, within HandleAuthenticateAsync, remove the check for Request.Method == "OPTIONS".
  • If OPTIONS requests must be handled differently, this should be set up elsewhere (such as globally allowing OPTIONS to bypass authentication using ASP.NET Core middleware or endpoint configuration).
  • No additional methods, imports, or definitions are required for this change.
Suggested changeset 1
src/Nullinside.Api.Common.AspNetCore/Middleware/BasicAuthenticationHandler.cs

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/src/Nullinside.Api.Common.AspNetCore/Middleware/BasicAuthenticationHandler.cs b/src/Nullinside.Api.Common.AspNetCore/Middleware/BasicAuthenticationHandler.cs
--- a/src/Nullinside.Api.Common.AspNetCore/Middleware/BasicAuthenticationHandler.cs
+++ b/src/Nullinside.Api.Common.AspNetCore/Middleware/BasicAuthenticationHandler.cs
@@ -45,11 +45,6 @@
   /// </summary>
   /// <returns>The user and their roles if successful, <see cref="AuthenticateResult.Fail(string)" /> otherwise.</returns>
   protected override async Task<AuthenticateResult> HandleAuthenticateAsync() {
-    // Skip options requests
-    if (Request.Method == "OPTIONS") {
-      return AuthenticateResult.NoResult();
-    }
-
     // Read token from HTTP request header
     string? authorizationHeader = Request.Headers.Authorization;
     if (string.IsNullOrEmpty(authorizationHeader) || !authorizationHeader.StartsWith("Bearer ")) {
EOF
@@ -45,11 +45,6 @@
/// </summary>
/// <returns>The user and their roles if successful, <see cref="AuthenticateResult.Fail(string)" /> otherwise.</returns>
protected override async Task<AuthenticateResult> HandleAuthenticateAsync() {
// Skip options requests
if (Request.Method == "OPTIONS") {
return AuthenticateResult.NoResult();
}

// Read token from HTTP request header
string? authorizationHeader = Request.Headers.Authorization;
if (string.IsNullOrEmpty(authorizationHeader) || !authorizationHeader.StartsWith("Bearer ")) {
Copilot is powered by AI and may make mistakes. Always verify output.
@ProgrammingByPermutation ProgrammingByPermutation deleted the bug/options branch October 9, 2025 02:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

bug: OPTIONS Hitting Authentication

2 participants

@ProgrammingByPermutation