ASP.NET Core 在 Forbid() 上给我代码 500 [英] ASP.NET Core giving me Code 500 on Forbid()
问题描述
我试图解决这个问题几个小时,但我找不到任何东西.基本上我有一个简单的控制器,大致如下所示:
I tried to solve this for hours now and I can not find anything. Basicly I have a simple controller which roughly looks like this:
[Route("v1/lists")]
public class ListController : Controller
{
...
[HttpPost("{id}/invite")]
public async Task<IActionResult> PostInvite([FromBody] string inviteSecret, [FromRoute] int id, [FromQuery] string userSecret)
{
if (!ModelState.IsValid)
{
return BadRequest(ModelState);
}
List list = await context.Lists.SingleOrDefaultAsync(l => l.ID == id);
if (list == null)
{
return NotFound();
}
User postingUser = await context.Users.SingleOrDefaultAsync(u => u.ID == list.CreationUserID);
if (postingUser == null || postingUser.Secret != userSecret)
{
return Forbid();
}
await context.ListInvites.AddAsync(new ListInvite{ListID = id, InviteSecret = inviteSecret});
await context.SaveChangesAsync();
return Ok();
}
....
}
事情是:每当这个方法被调用并通过return Forbid();
退出时,Kestrel会在之后抛出一个InvalidOperationException
并带有消息
The thing is: Whenever this method gets called and it exits through return Forbid();
, Kestrel throws an InvalidOperationException
afterwards with the message
没有配置身份验证处理程序来处理方案:自动
No authentication handler is configured to handle the scheme: Automatic
(当然服务器返回 500).奇怪的是,我没有在任何地方进行任何身份验证,并且它不会发生,例如如果方法以 return Ok();
离开.在这一点上,我真的很迷茫,因为如果你尝试用谷歌搜索这个问题,你会得到解决方案而不是解决方案......对于实际进行身份验证并遇到问题的人.我真的希望这里有人知道如何解决这个问题和/或我可以做些什么来找出发生这种情况的原因.
(and of course the server returns a 500). What's strange about it is the fact that I am not doing any authentication whatsoever anywhere, and it does not happen e.g. if the method leaves with return Ok();
. I'm really lost at this point because if you try to google this problem you get solutions over solutions... for people who actually do auth and have a problem with it. I really hope someone over here knows how to resolve this and/or what I could do to find out why this happens.
推荐答案
Like SignIn
, SignOut
or Challenge
, Forbid
依赖于身份验证堆栈来决定返回禁止"响应的正确做法:某些身份验证处理程序(如 JWT 承载中间件)返回 403 响应,而其他人(如 cookie 中间件)更喜欢将用户重定向到访问被拒绝页面".
Like SignIn
, SignOut
or Challenge
, Forbid
relies on the authentication stack to decide what's the right thing to do to return a "forbidden" response: some authentication handlers like the JWT bearer middleware return a 403 response while others - like the cookie middleware - prefer redirecting the user to an "access denied page".
如果您的管道中没有任何身份验证处理程序,则无法使用此方法.而是使用 return StatusCode(403)
.
If you don't have any authentication handler in your pipeline, you can't use this method. Instead, use return StatusCode(403)
.
这篇关于ASP.NET Core 在 Forbid() 上给我代码 500的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!