Implement AuthorizeFilter as following:
public class TheAuthrizeAttribute : AuthorizationFilterAttribute
{
public async override void OnAuthorization(System.Web.Http.Controllers.HttpActionContext actionContext)
{
var db = new MockDB();
bool pass = await db.AsyncValidate(actionContext.Request);
// validate;
if (!pass)
{
actionContext.Response = new System.Net.Http.HttpResponseMessage(HttpStatusCode.Unauthorized);
}
}
}
The db.AsyncValidate return in 500 ms. However the work flow continues without waiting for its return and the Action with this AuthorizeAttribute ultimately been executed.
Comments: the problem is that OnAuthorization method cannot awaited by the pipeline and it will continue executing as soon as your method stops the logical execution flow on the first await. your continuation will run no matter what and you will set the actionContext.Response if the condition is met but it doesn't effect anything because the caller would have been already finished checking if the response is set or not. The AuthorizationFilterAttribute methods are never meant to be consumed async. Use the raw interface instead as follows: public async Task<HttpResponseMessage> ExecuteAuthorizationFilterAsync( HttpActionContext actionContext, CancellationToken cancellationToken, Func<Task<HttpResponseMessage>> continuation) { var db = new MockDB(); bool pass = await db.AsyncValidate(actionContext.Request); // validate; if (!pass) { return new System.Net.Http.HttpResponseMessage(HttpStatusCode.Unauthorized); } return await continuation(); }
public class TheAuthrizeAttribute : AuthorizationFilterAttribute
{
public async override void OnAuthorization(System.Web.Http.Controllers.HttpActionContext actionContext)
{
var db = new MockDB();
bool pass = await db.AsyncValidate(actionContext.Request);
// validate;
if (!pass)
{
actionContext.Response = new System.Net.Http.HttpResponseMessage(HttpStatusCode.Unauthorized);
}
}
}
The db.AsyncValidate return in 500 ms. However the work flow continues without waiting for its return and the Action with this AuthorizeAttribute ultimately been executed.
Comments: the problem is that OnAuthorization method cannot awaited by the pipeline and it will continue executing as soon as your method stops the logical execution flow on the first await. your continuation will run no matter what and you will set the actionContext.Response if the condition is met but it doesn't effect anything because the caller would have been already finished checking if the response is set or not. The AuthorizationFilterAttribute methods are never meant to be consumed async. Use the raw interface instead as follows: public async Task<HttpResponseMessage> ExecuteAuthorizationFilterAsync( HttpActionContext actionContext, CancellationToken cancellationToken, Func<Task<HttpResponseMessage>> continuation) { var db = new MockDB(); bool pass = await db.AsyncValidate(actionContext.Request); // validate; if (!pass) { return new System.Net.Http.HttpResponseMessage(HttpStatusCode.Unauthorized); } return await continuation(); }