Helpers for EndpointBuilder

[haodeon]

I tried 5.0.0 with aspnetcore's authorization middleware.

The current recommendation from MS is to add the default policy as the fallback policy, which requires all requests to be authenticated.

For unauthenticated access to routes, I've been making use of this helper function. Which I stole from pim's fix for route Order.

let setAllowAnonymous (endpoint: HttpEndpoint) =
    let configure (builder: EndpointBuilder) =
        builder.Metadata.Add(AllowAnonymousAttribute())
        builder

    { endpoint with
        Configure = endpoint.Configure >> configure }

let endpoints =
    [ get "/health" healthHandler |> setAllowAnonymous ]

A generic version could be

let addEndpointAttribute (attribute: Attribute) (endpoint: HttpEndpoint) =
    let configure (builder: EndpointBuilder) =
        builder.Metadata.Add(attribute)
        builder

    { endpoint with
        Configure = endpoint.Configure >> configure }

There's a couple of other considerations to go along with this.

UseFalco currently calls UseRouting and UseEndpoints but UseAuthorization needs to be called in between them. I've been using this workaround

  wapp
      .UseRouting() // UseFalco calls UseRouting internally
      .UseAuthentication()
      .UseAuthorization() // this call must appear between UseRouting and UseEndpoints
      .UseEndpoints(fun endpointBuilder -> endpointBuilder.UseFalcoEndpoints(endpoints) |> ignore)
  |> ignore

It's possible to add duplicate attributes into the Metadata collection. Not sure what the behaviour is when that happens.

Would it be useful to add these EndpointBuilder functions to Falco?

[pimbrouwers]

Hey Deon,

Interesting stuff here. You ultimately arrived at the solution I would have suggested given what was available in beta4.

After some thought, I think we need to scope the UseFalco function more narrowly, and expect that UseRouting will always be called separately. It was silly to combine them in the first place. I just wanted to minimize the unnecessary discard/ignore. But if we shim UseRouting with an extension on WebApplication then we can still maintain the single webapp chain.

Using final example, it would look like this:

wapp.UseRouting()
    .UseAuthentication()
    .UseAuthorization()
    .UseFalco(endpoints)

I just deployed beta5 with this code. Have a crack at it, and let me know.

Thanks for catching this silly oversight before we went to release.

[haodeon]

Hey Pim,

Given UseRouting will always be called in a Falco app, it didn't seem silly having UseFalco call UseRouting.

On the other hand, having it separate removes some magic. Which, in my opinion, is clearer to someone learning aspnet with F#.

I tried beta5 but I still needed to use ignore on the WebApplication chain

wapp
    .UseRouting()
    .UseAuthentication()
    .UseAuthorization()
    .UseFalco(endpoints)
|> ignore

The extra ignore is okay to me since fantomas will format to this

wapp.UseRouting().UseAuthentication().UseAuthorization().UseFalco(endpoints)
|> ignore

I tried to end the chain with Run but I could only figure out the below.

(wapp.UseRouting().UseAuthentication().UseAuthorization().UseFalco(endpoints) :?> WebApplication)
    .Run()

I'm sticking with this for now.

[pimbrouwers]

I agree with everything you said!

Checkout the new examples for guidance on how to get the "non-ignore" version working for you.

Hello world sample: https://github.com/pimbrouwers/Falco/blob/develop/examples/HelloWorld/HelloWorld.fs
Hello world mvc sample: https://github.com/pimbrouwers/Falco/blob/develop/examples/HelloWorldMvc/HelloWorldMvc.fs

Thanks again for working on this with me!

[haodeon]

Cheers for the doc update. The v5 examples have been a great help for me.

Apologies but I’m missing something in the new examples? I did review 4285544 beforehand, to try to understand the change, then test beta5.

In my app, the chain changes type to IApplicationBuilder. The cleanest way I could come up with, was to cast to WebApplication.

I’m using Falco at work for a kind of web api. I’m not a dev, so it’s been a steep learning curve.

[haodeon]

With the release of rc2 and the updated Hello world examples, I tried ending the chain with Run and passing in a terminal handler like below.

wapp.UseRouting().UseAuthentication().UseAuthorization().UseFalco(endpoints).Run(Response.ofPlaintext "Not found")

Unfortunately, this doesn't do what I had hoped it would and does not execute the webapp.

[pimbrouwers]

Hey Deon, It's a deceptive transformation, which is what gave me pause to include those extension methods. But they're just so cool! Basically the issue is your auth activations, they upcast the item flowing through the chain to be IApplicationBuilder rather than WebApplication. The way I get around this is to use the WebApplication Use extension and the lesser known static extension methods to activate the middleware. ``` wapp.UseRouting().Use(AuthAppBuilderExtensions.UseAuthentication).Use(AuthorizationAppBuilderExtensions.UseAuthorization).UseFalco(endpoints).Run(Response.ofPlaintext "Not found") ``` I'm on my phone, so check the syntax. Let me know if that works for you!

…

On Sun, Jan 26, 2025, 12:57 AM Deon ***@***.***> wrote: With the release of rc2 and the updated Hello world examples, ending a WebApplication chain with Run is now working for me. wapp.UseRouting().UseAuthentication().UseAuthorization().UseFalco(endpoints).Run(Response.ofPlaintext "Not found") — Reply to this email directly, view it on GitHub <#130 (reply in thread)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABDB57MP3QSA25FPCE37RGT2MR2OHAVCNFSM6AAAAABS75LFYSVHI2DSMVQWIX3LMV43URDJONRXK43TNFXW4Q3PNVWWK3TUHMYTCOJVGYYTAMY> . You are receiving this because you commented. Message ID: <pimbrouwers/Falco/repo-discussions/130/comments/11956103@ github.com>