stwaddle/budget
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix middleware execution order so rate limiting comes after authentication.

Browse Source
This commit is contained in:
Spencer Twaddle
2026-06-20 13:43:18 -05:00
parent 1c4cc3c79f
commit ad5406a5d7
1 changed files with 4 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/Budget.Api/Program.cs
+4 -2
View File
@@ -171,12 +171,14 @@ using (var scope = app.Services.CreateScope())
app.UseForwardedHeaders(); app.UseForwardedHeaders();
app.UseMiddleware<ErrorHandlingMiddleware>(); app.UseMiddleware<ErrorHandlingMiddleware>();
app.UseRateLimiter();
app.UseDefaultFiles(); app.UseDefaultFiles();
app.UseStaticFiles(); app.UseStaticFiles();
// Authentication must run before the rate limiter so limiter partitions can
// read the validated "sub" claim; otherwise every authenticated request falls
// back to the per-IP bucket (auth-hardening-review.md, finding B-1).
app.UseAuthentication(); app.UseAuthentication();
app.UseRateLimiter();
app.UseAuthorization(); app.UseAuthorization();
app.MapControllers(); app.MapControllers();