I've scaffolded all Identity UI pages to my ASP.NET Core (razor pages) project. The /Account/Manage pages should be restricted to authorized users, which is work perfectly, however I can not find where this restriction is implemented/configured/declared.
I mean no traces of [Authorize] attribute. I've also took a look into the original sources both 5.0.12 and 6.0.0 and the original UI source code also do not have such attribute
Question
Where is this authorization requirement (which is working, and are in effect) implemented, coded/declared?
CodePudding user response:
I haven't followed the whole call stack from startup code:
builder.Services.AddDefaultIdentity<IdentityUser>(options => options.SignIn.RequireConfirmedAccount = true)
.AddEntityFrameworkStores<ApplicationDbContext>();
but in IdentityDefaultUIConfigureOptions:
there is the code:
options.Conventions.AuthorizeAreaFolder(IdentityUIDefaultAreaName, "/Account/Manage");
options.Conventions.AuthorizeAreaPage(IdentityUIDefaultAreaName, "/Account/Logout");
that adds the attributes dynamically:
public static PageConventionCollection AuthorizeAreaFolder(
this PageConventionCollection conventions,
string areaName,
string folderPath,
string policy)
{
if (conventions == null)
{
throw new ArgumentNullException(nameof(conventions));
}
if (string.IsNullOrEmpty(areaName))
{
throw new ArgumentException(Resources.ArgumentCannotBeNullOrEmpty, nameof(areaName));
}
if (string.IsNullOrEmpty(folderPath))
{
throw new ArgumentException(Resources.ArgumentCannotBeNullOrEmpty, nameof(folderPath));
}
conventions.AddAreaFolderApplicationModelConvention(areaName, folderPath, model =>
{
if (conventions.MvcOptions.EnableEndpointRouting)
{
model.EndpointMetadata.Add(new AuthorizeAttribute(policy));
}
else
{
model.Filters.Add(new AuthorizeFilter(policy));
}
});
return conventions;
}