ASP.NET Core在Forbid()上给我代码500 [英] ASP.NET Core giving me Code 500 on Forbid()

问题描述

我已经尝试解决了几个小时，但找不到任何东西.基本上，我有一个简单的控制器，大致如下所示:

I tried to solve this for hours now and I can not find anything. Basicly I have a simple controller which roughly looks like this:

[Route("v1/lists")]
public class ListController : Controller
{
    ...

    [HttpPost("{id}/invite")]
    public async Task<IActionResult> PostInvite([FromBody] string inviteSecret, [FromRoute] int id, [FromQuery] string userSecret)
    {
        if (!ModelState.IsValid)
        {
            return BadRequest(ModelState);
        }

        List list = await context.Lists.SingleOrDefaultAsync(l => l.ID == id);
        if (list == null)
        {
            return NotFound();
        }

        User postingUser = await context.Users.SingleOrDefaultAsync(u => u.ID == list.CreationUserID);
        if (postingUser == null || postingUser.Secret != userSecret)
        {
            return Forbid();
        }

        await context.ListInvites.AddAsync(new ListInvite{ListID = id, InviteSecret = inviteSecret});
        await context.SaveChangesAsync();
        return Ok();
    }

    ....
}

问题是:每当调用此方法并通过return Forbid();退出时，Kestrel随后会在消息

The thing is: Whenever this method gets called and it exits through return Forbid();, Kestrel throws an InvalidOperationException afterwards with the message

未配置身份验证处理程序来处理方案:自动

No authentication handler is configured to handle the scheme: Automatic

(当然服务器返回500).奇怪的是，我在任何地方都没有进行任何身份验证，并且这种情况不会发生，例如如果方法以return Ok();离开.在这一点上，我真的迷失了，因为如果您尝试Google这个问题，您会得到解决方案，而不是解决方案...对于实际上进行身份验证并遇到问题的人.我真的希望这里的人知道如何解决此问题和/或我能做些什么以找出发生这种情况的原因.

(and of course the server returns a 500). What's strange about it is the fact that I am not doing any authentication whatsoever anywhere, and it does not happen e.g. if the method leaves with return Ok();. I'm really lost at this point because if you try to google this problem you get solutions over solutions... for people who actually do auth and have a problem with it. I really hope someone over here knows how to resolve this and/or what I could do to find out why this happens.

推荐答案

像SignIn，SignOut或Challenge一样，Forbid依靠身份验证堆栈来决定返回"禁止访问"响应:某些身份验证处理程序(例如JWT承载中间件)返回403响应，而其他身份验证处理程序(例如Cookie中间件)则倾向于将用户重定向到访问被拒绝的页面".

Like SignIn, SignOut or Challenge, Forbid relies on the authentication stack to decide what's the right thing to do to return a "forbidden" response: some authentication handlers like the JWT bearer middleware return a 403 response while others - like the cookie middleware - prefer redirecting the user to an "access denied page".

如果管道中没有任何身份验证处理程序，则不能使用此方法.而是使用return StatusCode(403).

If you don't have any authentication handler in your pipeline, you can't use this method. Instead, use return StatusCode(403).

这篇关于ASP.NET Core在Forbid()上给我代码500的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！