Refuse to start in production when EasyAuth providers lack Azure environment signals#3699
Refuse to start in production when EasyAuth providers lack Azure environment signals#3699Aniruddh25 wants to merge 7 commits into
Conversation
There was a problem hiding this comment.
Pull request overview
This PR hardens EasyAuth authentication provider configuration by preventing the service from starting in non-Azure(-signaled) environments when running in production mode, reducing the risk of X-MS-CLIENT-PRINCIPAL header forgery when no trusted proxy is present.
Changes:
- Enforce production-mode startup failure for
AppServiceEasyAuth when expected App Service EasyAuth environment variables are missing. - Add a similar startup guard for
StaticWebAppsbased on presence ofWEBSITE_SITE_NAME, with warnings in development mode. - Expand the App Service and Static Web Apps warning/error messages to explicitly call out the header-forgery risk.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| src/Service/Startup.cs | Adds production-mode refusal-to-start for AppService and StaticWebApps EasyAuth when platform signals are missing. |
| src/Core/AuthenticationHelpers/StaticWebAppsAuthentication.cs | Introduces SWA-specific messages and an environment-signal helper for startup-time validation. |
| src/Core/AuthenticationHelpers/AppServiceAuthenticationInformation.cs | Updates message constants to more explicitly describe the security risk and remediation. |
|
@copilot, fix all the tests which expect the environment variable WEBSITE_SITE_NAME to be set for StaticWebApps auth provider Similarly, fix all tests with AppService as the auth provider to set the environment variable that it expects |
Implemented in commit I updated the test setup so EasyAuth provider tests now set the expected environment variables:
|
Why make this change?
StaticWebApps,AppService).X-MS-CLIENT-PRINCIPALheader — it is decoded and trusted as-is. The header is only sanitized and re-injected by the Azure Static Web Apps or App Service EasyAuth proxy layer. When DAB is exposed directly (Docker, bare-metal, AKS, etc.) without that proxy in front, any client can forge the header and impersonate any user or role.AppServiceprovider but no guard forStaticWebApps, and no enforcement at all in production mode for either provider.What is this change?
AppServiceAuthenticationInformation.cs: Updated theAPPSERVICE_PROD_MISSING_ENV_CONFIGandAPPSERVICE_DEV_MISSING_ENV_CONFIGmessage constants to explicitly call out the header-forgery risk.StaticWebAppsAuthentication.cs: Added parallel constants (SWA_PROD_MISSING_ENV_CONFIG,SWA_DEV_MISSING_ENV_CONFIG,WEBSITE_SITE_NAME_ENVVAR) and a newAreExpectedSWAEnvVarsPresent()helper that checks for theWEBSITE_SITE_NAMEenvironment variable — the Azure-platform signal present in every SWA-hosted app.Startup.cs—ConfigureAuthentication: Extended the existing AppService env-var check to also coverStaticWebApps, with a symmetric two-tier policy:host.mode = developmenthost.mode = productionAppService, env vars absentLogLevel.Warning(unchanged)DataApiBuilderException— refuses to start (new)StaticWebApps,WEBSITE_SITE_NAMEabsentLogLevel.Warning(new)DataApiBuilderException— refuses to start (new)X-MS-CLIENT-PRINCIPAL: https://learn.microsoft.com/azure/static-web-apps/user-information?tabs=csharp