Fix WAF API ingress and harden web auth configuration

Author: Ashwal-Microsoft

infra/main.bicep

@@ -1119,7 +1119,7 @@ module avmContainerApp_API 'br/public:avm/res/app/container-app:0.19.0' = {
         }
       ]
     }
-    ingressExternal: true
+    ingressExternal: !enablePrivateNetworking
     activeRevisionsMode: 'Single'
     ingressTransport: 'auto'
     corsPolicy: {
@@ -1771,7 +1771,7 @@ module avmContainerApp_API_update 'br/public:avm/res/app/container-app:0.19.0' =
         }
       ]
     }
-    ingressExternal: true
+    ingressExternal: !enablePrivateNetworking
     activeRevisionsMode: 'Single'
     ingressTransport: 'auto'
     corsPolicy: {

infra/main_custom.bicep

@@ -1132,7 +1132,7 @@ module avmContainerApp_API 'br/public:avm/res/app/container-app:0.19.0' = {
         }
       ]
     }
-    ingressExternal: true
+    ingressExternal: !enablePrivateNetworking
     activeRevisionsMode: 'Single'
     ingressTransport: 'auto'
     corsPolicy: {
@@ -1804,7 +1804,7 @@ module avmContainerApp_API_update 'br/public:avm/res/app/container-app:0.19.0' =
         }
       ]
     }
-    ingressExternal: true
+    ingressExternal: !enablePrivateNetworking
     activeRevisionsMode: 'Single'
     ingressTransport: 'auto'
     corsPolicy: {

src/ContentProcessorWeb/azure_cicd.yaml

@@ -91,7 +91,7 @@ steps:
             --image $(acrLoginServer)/$(imageRepository):$(Build.BuildId) \
             --cpu 4.0 \
             --memory 8.0Gi \
-            --set-env-vars APP_API_BASE_URL=$cpsApiBaseUrl APP_WEB_CLIENT_ID=$(appWebClientId) APP_WEB_AUTHORITY=$(appWebAuthority) APP__WEB_SCOPE=$(appWebScope) APP_API_SCOPE=$(appApiScope) APP_AUTH_ENABLED=false
+            --set-env-vars APP_API_BASE_URL=$cpsApiBaseUrl APP_WEB_CLIENT_ID=$(appWebClientId) APP_WEB_AUTHORITY=$(appWebAuthority) APP_WEB_SCOPE=$(appWebScope) APP_API_SCOPE=$(appApiScope) APP_AUTH_ENABLED=false
         else
         # Create the container app with the new image and registry settings
           az containerapp create \
@@ -104,7 +104,7 @@ steps:
             --registry-server $(acrLoginServer) \
             --registry-identity $managedIdentityResourceId \
             --ingress external \ 
-            --env-vars APP_API_BASE_URL=$cpsApiBaseUrl APP_WEB_CLIENT_ID=$(appWebClientId) APP_WEB_AUTHORITY=$(appWebAuthority) APP__WEB_SCOPE=$(appWebScope) APP_API_SCOPE=$(appApiScope) APP_AUTH_ENABLED=false
+            --env-vars APP_API_BASE_URL=$cpsApiBaseUrl APP_WEB_CLIENT_ID=$(appWebClientId) APP_WEB_AUTHORITY=$(appWebAuthority) APP_WEB_SCOPE=$(appWebScope) APP_API_SCOPE=$(appApiScope) APP_AUTH_ENABLED=false
 
         fi
     displayName: 'Deploy container to Azure Container App'

src/ContentProcessorWeb/src/Services/httpUtility.ts

@@ -10,6 +10,20 @@
 
 const api: string = process.env.REACT_APP_API_BASE_URL as string;
 
+const isAuthEnabled = (): boolean =>
+  process.env.REACT_APP_AUTH_ENABLED?.toLowerCase() !== 'false';
+
+const isUsableToken = (token: string | null): token is string => {
+  if (!token) return false;
+  const value = token.trim();
+  if (!value) return false;
+  if (value.toLowerCase() === 'null' || value.toLowerCase() === 'undefined') {
+    return false;
+  }
+  if (value.startsWith('APP_')) return false;
+  return true;
+};
+
 interface FetchResponse<T> {
   data: T | null;
   status: number;
@@ -73,11 +87,14 @@ const fetchWithAuth = async <T>(
   const token = localStorage.getItem('token');
 
   const headers: Record<string, string> = {
-    'Authorization': `Bearer ${token}`,
     'Accept': 'application/json',
     'Cache-Control': 'no-cache',
   };
 
+  if (isAuthEnabled() && isUsableToken(token)) {
+    headers['Authorization'] = `Bearer ${token}`;
+  }
+
   let processedBody: BodyInit | null = null;
   if (body instanceof FormData) {
     processedBody = body;
@@ -132,12 +149,15 @@ const fetchHeadersWithAuth = async <T>(
   const token = localStorage.getItem('token');
 
   const headers: Record<string, string> = {
-    'Authorization': `Bearer ${token}`,
     'Content-Type': 'application/json',
     'Accept': 'application/json',
     'Cache-Control': 'no-cache',
   };
 
+  if (isAuthEnabled() && isUsableToken(token)) {
+    headers['Authorization'] = `Bearer ${token}`;
+  }
+
   if (body instanceof FormData) {
     delete headers['Content-Type'];
   } else {

src/ContentProcessorWeb/src/msal-auth/msaConfig.ts

@@ -7,6 +7,16 @@
  */
 import { Configuration, LogLevel } from '@azure/msal-browser';
 
+const isUsableScope = (scope?: string): scope is string => {
+  if (!scope) return false;
+  const value = scope.trim();
+  if (!value) return false;
+  // Guard against unresolved placeholders from env substitution.
+  if (value.startsWith('APP_')) return false;
+  if (value.startsWith('<') && value.endsWith('>')) return false;
+  return true;
+};
+
 export const msalConfig: Configuration = {
   auth: {
     clientId: process.env.REACT_APP_WEB_CLIENT_ID as string,
@@ -31,14 +41,25 @@ export const msalConfig: Configuration = {
 const loginScope = process.env.REACT_APP_WEB_SCOPE as string;
 const tokenScope = process.env.REACT_APP_API_SCOPE as string;
 
+const loginScopes = ['user.read'];
+if (isUsableScope(loginScope)) {
+  loginScopes.push(loginScope);
+}
+
+const tokenScopes = isUsableScope(tokenScope)
+  ? [tokenScope]
+  : isUsableScope(loginScope)
+    ? [loginScope]
+    : ['user.read'];
+
 export const loginRequest = {
-  scopes: ["user.read", loginScope],
+  scopes: loginScopes,
 };
 
 export const graphConfig = {
   graphMeEndpoint: "https://graph.microsoft.com/v1.0/me",
 };
 
 export const tokenRequest = {
-  scopes: [tokenScope],
+  scopes: tokenScopes,
 };