Skip to content

Refuse to start in production when EasyAuth providers lack Azure environment signals#3699

Open
Aniruddh25 wants to merge 7 commits into
mainfrom
dev/anmunde/fixXMSClientHeader
Open

Refuse to start in production when EasyAuth providers lack Azure environment signals#3699
Aniruddh25 wants to merge 7 commits into
mainfrom
dev/anmunde/fixXMSClientHeader

Conversation

@Aniruddh25

@Aniruddh25 Aniruddh25 commented Jul 7, 2026

Copy link
Copy Markdown
Collaborator

Why make this change?

  • Closes Restrict AppService auth provider usage to Azure platform only in production mode #3710
  • Related to the security posture of EasyAuth-based authentication providers (StaticWebApps, AppService).
    • DAB does not cryptographically verify the X-MS-CLIENT-PRINCIPAL header — it is decoded and trusted as-is. The header is only sanitized and re-injected by the Azure Static Web Apps or App Service EasyAuth proxy layer. When DAB is exposed directly (Docker, bare-metal, AKS, etc.) without that proxy in front, any client can forge the header and impersonate any user or role.
    • Previously there was a development-mode warning for the AppService provider but no guard for StaticWebApps, and no enforcement at all in production mode for either provider.

What is this change?

  • AppServiceAuthenticationInformation.cs: Updated the APPSERVICE_PROD_MISSING_ENV_CONFIG and APPSERVICE_DEV_MISSING_ENV_CONFIG message constants to explicitly call out the header-forgery risk.

  • StaticWebAppsAuthentication.cs: Added parallel constants (SWA_PROD_MISSING_ENV_CONFIG, SWA_DEV_MISSING_ENV_CONFIG, WEBSITE_SITE_NAME_ENVVAR) and a new AreExpectedSWAEnvVarsPresent() helper that checks for the WEBSITE_SITE_NAME environment variable — the Azure-platform signal present in every SWA-hosted app.

  • Startup.csConfigureAuthentication: Extended the existing AppService env-var check to also cover StaticWebApps, with a symmetric two-tier policy:

    Provider host.mode = development host.mode = production
    AppService, env vars absent LogLevel.Warning (unchanged) DataApiBuilderExceptionrefuses to start (new)
    StaticWebApps, WEBSITE_SITE_NAME absent LogLevel.Warning (new) DataApiBuilderExceptionrefuses to start (new)

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR hardens EasyAuth authentication provider configuration by preventing the service from starting in non-Azure(-signaled) environments when running in production mode, reducing the risk of X-MS-CLIENT-PRINCIPAL header forgery when no trusted proxy is present.

Changes:

  • Enforce production-mode startup failure for AppService EasyAuth when expected App Service EasyAuth environment variables are missing.
  • Add a similar startup guard for StaticWebApps based on presence of WEBSITE_SITE_NAME, with warnings in development mode.
  • Expand the App Service and Static Web Apps warning/error messages to explicitly call out the header-forgery risk.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.

File Description
src/Service/Startup.cs Adds production-mode refusal-to-start for AppService and StaticWebApps EasyAuth when platform signals are missing.
src/Core/AuthenticationHelpers/StaticWebAppsAuthentication.cs Introduces SWA-specific messages and an environment-signal helper for startup-time validation.
src/Core/AuthenticationHelpers/AppServiceAuthenticationInformation.cs Updates message constants to more explicitly describe the security risk and remediation.

Comment thread src/Core/AuthenticationHelpers/StaticWebAppsAuthentication.cs
Comment thread src/Core/AuthenticationHelpers/StaticWebAppsAuthentication.cs
Comment thread src/Service/Startup.cs
@Aniruddh25 Aniruddh25 changed the title security: refuse to start in production when EasyAuth providers lack Azure environment signals Refuse to start in production when EasyAuth providers lack Azure environment signals Jul 7, 2026
@Aniruddh25

Copy link
Copy Markdown
Collaborator Author

@copilot, fix all the tests which expect the environment variable WEBSITE_SITE_NAME to be set for StaticWebApps auth provider
e.g. Test method Azure.DataApiBuilder.Service.Tests.Configuration.ConfigurationTests.TestAutoentitiesAreGeneratedIntoEntities

Similarly, fix all tests with AppService as the auth provider to set the environment variable that it expects

Copilot AI commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

@copilot, fix all the tests which expect the environment variable WEBSITE_SITE_NAME to be set for StaticWebApps auth provider
e.g. Test method Azure.DataApiBuilder.Service.Tests.Configuration.Config...

Implemented in commit e87067f.

I updated the test setup so EasyAuth provider tests now set the expected environment variables:

  • Added shared test helpers to set/clear AppService (WEBSITE_AUTH_ENABLED + identity provider) and StaticWebApps (WEBSITE_SITE_NAME) env vars.
  • Applied setup in configuration/health test classes and in SqlTestHelper.InitBasicRuntimeConfigWithNoEntity, so tests using AppService/StaticWebApps runtime auth providers have the required env signals before startup.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Restrict AppService auth provider usage to Azure platform only in production mode

5 participants