Skip to content

Fix AuthorizeIndexPageHandlerFilter security flaw: pipeline not short-circuited on auth failure#36839

Merged
guardrex merged 2 commits into
guardrex/simple-auth-updatesfrom
copilot/sub-pr-36650
Mar 5, 2026
Merged

Fix AuthorizeIndexPageHandlerFilter security flaw: pipeline not short-circuited on auth failure#36839
guardrex merged 2 commits into
guardrex/simple-auth-updatesfrom
copilot/sub-pr-36650

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Mar 5, 2026
edited by github-actions Bot
Loading

The AuthorizeIndexPageHandlerFilter example allowed unauthorized users to execute protected page handlers because authorization ran in OnPageHandlerSelectionAsync (which has no way to set a result), while OnPageHandlerExecutionAsync unconditionally called next().

Changes

  • Moved authorization logic from OnPageHandlerSelectionAsync into OnPageHandlerExecutionAsync
  • Set context.Result to ChallengeResult/ForbidResult on failure without calling next(), properly short-circuiting the pipeline
  • OnPageHandlerSelectionAsync is now a no-op
  • Updated prose to reference OnPageHandlerExecutionAsync
public async Task OnPageHandlerExecutionAsync(PageHandlerExecutingContext context,
    PageHandlerExecutionDelegate next)
{
    // ... attribute/policy resolution ...

    if (authorizeResult.Challenged)
    {
        context.Result = policy.AuthenticationSchemes.Count > 0
            ? new ChallengeResult(policy.AuthenticationSchemes.ToArray())
            : new ChallengeResult();
        return; // does NOT call next() — handler is blocked
    }
    else if (authorizeResult.Forbidden)
    {
        context.Result = policy.AuthenticationSchemes.Count > 0
            ? new ForbidResult(policy.AuthenticationSchemes.ToArray())
            : new ForbidResult();
        return; // does NOT call next() — handler is blocked
    }

    await next(); // only reached on successful authorization
}

public Task OnPageHandlerSelectionAsync(PageHandlerSelectedContext context)
    => Task.CompletedTask;

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

Internal previews

📄 File 🔗 Preview link
aspnetcore/razor-pages/security/authorization/simple.md aspnetcore/razor-pages/security/authorization/simple

Copilot AI mentioned this pull request Mar 5, 2026
Merged
@guardrex
Fix AuthorizeIndexPageHandlerFilter to short-circuit pipeline on fail…
03554f2 
…ed authorization

Co-authored-by: guardrex <1622880+guardrex@users.noreply.github.com>
Copilot AI changed the title [WIP] Address feedback on Blazor integration in Simple Auth article Fix AuthorizeIndexPageHandlerFilter security flaw: pipeline not short-circuited on auth failure Mar 5, 2026
@guardrex guardrex marked this pull request as ready for review March 5, 2026 19:05
@guardrex guardrex merged commit e0d3848 into guardrex/simple-auth-updates Mar 5, 2026
4 checks passed
@guardrex guardrex deleted the copilot/sub-pr-36650 branch March 5, 2026 19:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@guardrex guardrex guardrex approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@guardrex guardrex

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@guardrex