Implement AuthorizeFilter as following:
public class TheAuthrizeAttribute : AuthorizationFilterAttribute
{
public async override void OnAuthorization(System.Web.Http.Controllers.HttpActionContext actionContext)
{
var db = new MockDB();
bool pass = await db.AsyncValidate(actionContext.Request);
// validate;
if (!pass)
{
actionContext.Response = new System.Net.Http.HttpResponseMessage(HttpStatusCode.Unauthorized);
}
}
}
The db.AsyncValidate return in 500 ms. However the work flow continues without waiting for its return and the Action with this AuthorizeAttribute ultimately been executed.
Comments: Thanks for the comments, Tugberk. I agree with you on the argument that AuthorizationFilterAttribute methods are never meant to be consumed async, neither does AuthorizeAttribute. In addition the OnAuthorization is actually an exception, because only method with void as return type can be overload by an async method. However, it would be better to be addressed since the design to these two class is too easy to mislead the developers to write incorrect async implementation. Troy
public class TheAuthrizeAttribute : AuthorizationFilterAttribute
{
public async override void OnAuthorization(System.Web.Http.Controllers.HttpActionContext actionContext)
{
var db = new MockDB();
bool pass = await db.AsyncValidate(actionContext.Request);
// validate;
if (!pass)
{
actionContext.Response = new System.Net.Http.HttpResponseMessage(HttpStatusCode.Unauthorized);
}
}
}
The db.AsyncValidate return in 500 ms. However the work flow continues without waiting for its return and the Action with this AuthorizeAttribute ultimately been executed.
Comments: Thanks for the comments, Tugberk. I agree with you on the argument that AuthorizationFilterAttribute methods are never meant to be consumed async, neither does AuthorizeAttribute. In addition the OnAuthorization is actually an exception, because only method with void as return type can be overload by an async method. However, it would be better to be addressed since the design to these two class is too easy to mislead the developers to write incorrect async implementation. Troy