Skip to content

Commit 438323a

Browse files
committed
Add warning for using SWA provider without the Azure Platform
1 parent a4505f8 commit 438323a

3 files changed

Lines changed: 70 additions & 2 deletions

File tree

src/Core/AuthenticationHelpers/AppServiceAuthenticationInformation.cs

Lines changed: 10 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -19,14 +19,22 @@ public static class AppServiceAuthenticationInfo
1919
/// Environment variable key whose value represents Identity Provider such as "AzureActiveDirectory"
2020
/// </summary>
2121
public const string APPSERVICESAUTH_IDENTITYPROVIDER_ENVVAR = "WEBSITE_AUTH_DEFAULT_PROVIDER";
22+
23+
// ── AppService messages ──────────────────────────────────────────────────────────────────────
2224
/// <summary>
2325
/// Error message used when AppService Authentication is configured in production mode in a non AppService Environment.
2426
/// </summary>
25-
public const string APPSERVICE_PROD_MISSING_ENV_CONFIG = "AppService environment not detected while runtime is in production mode.";
27+
public const string APPSERVICE_PROD_MISSING_ENV_CONFIG =
28+
"AppService environment not detected while runtime is in production mode. " +
29+
"The X-MS-CLIENT-PRINCIPAL header is not cryptographically validated by DAB and can be trivially " +
30+
"forged when the service is not hosted behind an Azure App Service EasyAuth proxy. " +
31+
"Set host.mode to 'development' for local testing, or deploy behind Azure App Service.";
2632
/// <summary>
2733
/// Warning message logged when AppService environment not detected (applicable to development mode).
2834
/// </summary>
29-
public const string APPSERVICE_DEV_MISSING_ENV_CONFIG = "AppService environment not detected, EasyAuth authentication may not behave as expected.";
35+
public const string APPSERVICE_DEV_MISSING_ENV_CONFIG =
36+
"AppService environment not detected. The X-MS-CLIENT-PRINCIPAL header is not cryptographically " +
37+
"validated; EasyAuth authentication may not behave as expected outside an Azure App Service environment.";
3038

3139
/// <summary>
3240
/// Returns a best guess whether AppService is enabled in the environment by checking for

src/Core/AuthenticationHelpers/StaticWebAppsAuthentication.cs

Lines changed: 35 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -33,6 +33,31 @@ public class StaticWebAppsClientPrincipal
3333
public IEnumerable<string>? UserRoles { get; set; }
3434
}
3535

36+
/// <summary>
37+
/// Environment variable key set by the Azure platform for every App Service and Static Web Apps
38+
/// hosted site. Its presence is the best-effort signal that the runtime is executing behind an
39+
/// Azure-managed proxy that injects and validates the X-MS-CLIENT-PRINCIPAL header.
40+
/// </summary>
41+
public const string WEBSITE_SITE_NAME_ENVVAR = "WEBSITE_SITE_NAME";
42+
43+
// ── StaticWebApps messages ───────────────────────────────────────────────────────────────────
44+
/// <summary>
45+
/// Error message used when StaticWebApps Authentication is configured in production mode
46+
/// without a detectable Azure-hosted environment.
47+
/// </summary>
48+
public const string SWA_PROD_MISSING_ENV_CONFIG =
49+
"StaticWebApps environment not detected while runtime is in production mode. " +
50+
"The X-MS-CLIENT-PRINCIPAL header is not cryptographically validated by DAB and can be trivially " +
51+
"forged when the service is not hosted behind an Azure Static Web Apps proxy. " +
52+
"Set host.mode to 'development' for local testing, or deploy behind Azure Static Web Apps.";
53+
54+
/// <summary>
55+
/// Warning message logged when StaticWebApps environment not detected (applicable to development mode).
56+
/// </summary>
57+
public const string SWA_DEV_MISSING_ENV_CONFIG =
58+
"StaticWebApps environment not detected. The X-MS-CLIENT-PRINCIPAL header is not cryptographically " +
59+
"validated; EasyAuth authentication may not behave as expected outside an Azure Static Web Apps environment.";
60+
3661
/// <summary>
3762
/// Base64 decodes and deserializes the x-ms-client-principal payload containing
3863
/// SWA token metadata.
@@ -98,4 +123,14 @@ error is NotSupportedException ||
98123

99124
return identity;
100125
}
126+
127+
/// <summary>
128+
/// Returns a best-effort indication that the runtime is executing inside an Azure Static Web Apps
129+
/// environment by checking for the presence of <see cref="WEBSITE_SITE_NAME_ENVVAR"/>, which is
130+
/// injected by the Azure platform for every SWA-hosted application.
131+
/// </summary>
132+
public static bool AreExpectedSWAEnvVarsPresent()
133+
{
134+
return !string.IsNullOrEmpty(Environment.GetEnvironmentVariable(WEBSITE_SITE_NAME_ENVVAR));
135+
}
101136
}

src/Service/Startup.cs

Lines changed: 25 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1148,11 +1148,36 @@ private void ConfigureAuthentication(IServiceCollection services, RuntimeConfigP
11481148
EasyAuthType easyAuthType = EnumExtensions.Deserialize<EasyAuthType>(runtimeConfig.Runtime.Host.Authentication.Provider);
11491149
bool isProductionMode = mode != HostMode.Development;
11501150
bool appServiceEnvironmentDetected = AppServiceAuthenticationInfo.AreExpectedAppServiceEnvVarsPresent();
1151+
bool swaEnvironmentDetected = StaticWebAppsAuthentication.AreExpectedSWAEnvVarsPresent();
11511152

11521153
if (easyAuthType == EasyAuthType.AppService && !appServiceEnvironmentDetected)
11531154
{
1155+
if (isProductionMode)
1156+
{
1157+
// SECURITY: In production the X-MS-CLIENT-PRINCIPAL header is blindly trusted.
1158+
// Refuse to start when there is no evidence of an App Service EasyAuth proxy.
1159+
throw new DataApiBuilderException(
1160+
message: AppServiceAuthenticationInfo.APPSERVICE_PROD_MISSING_ENV_CONFIG,
1161+
statusCode: System.Net.HttpStatusCode.ServiceUnavailable,
1162+
subStatusCode: DataApiBuilderException.SubStatusCodes.ConfigValidationError);
1163+
}
1164+
11541165
_logBuffer.BufferLog(LogLevel.Warning, AppServiceAuthenticationInfo.APPSERVICE_DEV_MISSING_ENV_CONFIG);
11551166
}
1167+
else if (easyAuthType == EasyAuthType.StaticWebApps && !swaEnvironmentDetected)
1168+
{
1169+
if (isProductionMode)
1170+
{
1171+
// SECURITY: In production the X-MS-CLIENT-PRINCIPAL header is blindly trusted.
1172+
// Refuse to start when there is no evidence of a Static Web Apps proxy.
1173+
throw new DataApiBuilderException(
1174+
message: StaticWebAppsAuthentication.SWA_PROD_MISSING_ENV_CONFIG,
1175+
statusCode: System.Net.HttpStatusCode.ServiceUnavailable,
1176+
subStatusCode: DataApiBuilderException.SubStatusCodes.ConfigValidationError);
1177+
}
1178+
1179+
_logBuffer.BufferLog(LogLevel.Warning, StaticWebAppsAuthentication.SWA_DEV_MISSING_ENV_CONFIG);
1180+
}
11561181

11571182
string defaultScheme = easyAuthType == EasyAuthType.AppService
11581183
? EasyAuthAuthenticationDefaults.APPSERVICEAUTHSCHEME

0 commit comments

Comments
 (0)