Fix middleware execution order so rate limiting comes after authentication.
This commit is contained in:
Spencer Twaddle
@@ -171,12 +171,14 @@ using (var scope = app.Services.CreateScope())
|
||||
app.UseForwardedHeaders();
|
||||
app.UseMiddleware<ErrorHandlingMiddleware>();
|
||||
|
||||
app.UseRateLimiter();
|
||||
|
||||
app.UseDefaultFiles();
|
||||
app.UseStaticFiles();
|
||||
|
||||
// Authentication must run before the rate limiter so limiter partitions can
|
||||
// read the validated "sub" claim; otherwise every authenticated request falls
|
||||
// back to the per-IP bucket (auth-hardening-review.md, finding B-1).
|
||||
app.UseAuthentication();
|
||||
app.UseRateLimiter();
|
||||
app.UseAuthorization();
|
||||
|
||||
app.MapControllers();
|
||||
|
||||
Reference in New Issue
Block a user