SkipStatusCodePagesAttribute should run before AuthorizeAttribute

[huan086]

Is your feature request related to a problem? Please describe.

[SkipStatusCodePages] is meant to be used in actions that are API calls, so that the StatusCodePagesMiddleware does not interfere with the response status code and body.

API actions are almost always decorated with [Authorize]. When user is not authorized, AuthorizeFilter short circuits and returns 401. Due to the short circuit, IResourceFilter, which SkipStatusCodePagesAttribute inherits, does not run, thus StatusCodePagesMiddleware runs and modifies the status code and body. The API caller does not receive 401 with empty body.

Describe the solution you'd like

Ideally, the StatusCodePagesMiddleware does not run when [SkipStatusCodePages], thus the API caller receives 401 with empty body.

This can be achieved by having SkipStatusCodePagesAttribute inherit from IAlwaysRunResultFilter instead.

Describe alternatives you've considered

Modifying the middleware pipeline with custom middleware. But this dissociates the action that needs SkipStatusCodePages from the code that does the work

Additional context

[mkArtakMSFT]

Thanks for contacting us, @huan086. Would you like to send a PR for this? We'd happily consider it!

[huan086]

I'm thinking we need to implement IOrderedFilter as well, so that when multiple IAlwaysRunResultFilter are present and some of them short-circuits, it'll be possible to make sure SkipStatusCodePagesAttribute runs first. @mkArtakMSFT what do you think?