ASP.NET Core 在 Forbid() 上给我代码 500 [英] ASP.NET Core giving me Code 500 on Forbid()

问题描述

我试图解决这个问题几个小时，但我找不到任何东西.基本上我有一个简单的控制器，大致如下所示:

I tried to solve this for hours now and I can not find anything. Basicly I have a simple controller which roughly looks like this:

[Route("v1/lists")]
public class ListController : Controller
{
    ...

    [HttpPost("{id}/invite")]
    public async Task<IActionResult> PostInvite([FromBody] string inviteSecret, [FromRoute] int id, [FromQuery] string userSecret)
    {
        if (!ModelState.IsValid)
        {
            return BadRequest(ModelState);
        }

        List list = await context.Lists.SingleOrDefaultAsync(l => l.ID == id);
        if (list == null)
        {
            return NotFound();
        }

        User postingUser = await context.Users.SingleOrDefaultAsync(u => u.ID == list.CreationUserID);
        if (postingUser == null || postingUser.Secret != userSecret)
        {
            return Forbid();
        }

        await context.ListInvites.AddAsync(new ListInvite{ListID = id, InviteSecret = inviteSecret});
        await context.SaveChangesAsync();
        return Ok();
    }

    ....
}

事情是:每当这个方法被调用并通过return Forbid();退出时，Kestrel会在之后抛出一个InvalidOperationException并带有消息

The thing is: Whenever this method gets called and it exits through return Forbid();, Kestrel throws an InvalidOperationException afterwards with the message

没有配置身份验证处理程序来处理方案:自动

No authentication handler is configured to handle the scheme: Automatic

(当然服务器返回 500).奇怪的是，我没有在任何地方进行任何身份验证，并且它不会发生，例如如果方法以 return Ok(); 离开.在这一点上，我真的很迷茫，因为如果你尝试用谷歌搜索这个问题，你会得到解决方案而不是解决方案......对于实际进行身份验证并遇到问题的人.我真的希望这里有人知道如何解决这个问题和/或我可以做些什么来找出发生这种情况的原因.

(and of course the server returns a 500). What's strange about it is the fact that I am not doing any authentication whatsoever anywhere, and it does not happen e.g. if the method leaves with return Ok();. I'm really lost at this point because if you try to google this problem you get solutions over solutions... for people who actually do auth and have a problem with it. I really hope someone over here knows how to resolve this and/or what I could do to find out why this happens.

推荐答案

Like SignIn, SignOut or Challenge, Forbid 依赖于身份验证堆栈来决定返回禁止"响应的正确做法:某些身份验证处理程序(如 JWT 承载中间件)返回 403 响应，而其他人(如 cookie 中间件)更喜欢将用户重定向到访问被拒绝页面".

Like SignIn, SignOut or Challenge, Forbid relies on the authentication stack to decide what's the right thing to do to return a "forbidden" response: some authentication handlers like the JWT bearer middleware return a 403 response while others - like the cookie middleware - prefer redirecting the user to an "access denied page".

如果您的管道中没有任何身份验证处理程序，则无法使用此方法.而是使用 return StatusCode(403).

If you don't have any authentication handler in your pipeline, you can't use this method. Instead, use return StatusCode(403).

这篇关于ASP.NET Core 在 Forbid() 上给我代码 500的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！