api-management-developer-portal icon indicating copy to clipboard operation
api-management-developer-portal copied to clipboard

Published 20 hours ago verified publisher icon Azure

Incorrect message for invalid/missing subscription key using policy fragment with cors & Users shouldn't be able to send requests when not subscribed.

Open Ledger94 opened this issue 1 year ago • 5 comments

Every bug report should have precise description and reproduction steps; console traces or source code references are appreciated.

For assistance requests, contact Azure support or submit a post on Stack Overflow. We don't provide support through GitHub Issues. Feature requests can be raised on the Azure Feedback Forum.

Bug description

  1. Incorrect message is showing when the subscription key is incorrect or missing. Cors policy has been set using policy fragment and it works as expected with the correct subscription key. This isn't an issue when not using policy fragments. (setting Cors in API scope without policy fragment)

Issue: image

Expected Response: image

  1. Users shouldn't be able to send requests for APIs within products that require subscription keys, it is possible to do this currently. There should be some kind of message/error letting the user know that a subscription is required for the API like in old portal.

New Portal Ex: image

Old Portal Ex: image

Reproduction steps

First Bug:

  1. Create policy fragment that has cors policy.
  2. Add cors policy fragment to API scope.
  3. Go to api-details page for an API that you are subscribed to test with correct subscription key. (It should work).
  4. Test with incorrect subscription key (Cors error).
  5. Update Cors without policy fragement.
  6. Test again with incorrect subscription key (expected behavior 401 response).

Second Bug:

  1. Go to api-details page for an API whos product requires a subscription key and you are not subscribed to it.
  2. Click try it for pop up.
  3. Test API without inputting subscription key (It should allow you to send request).

Expected behavior

  1. Incorrect message is displaying related to cors when using a policy fragment that contains cors policy. It should work the same whether or not cors is in a policy fragment.
  2. For APIs whos product requires a subscription key, it shouldn't be possible to test it without inputting a subscription key.

Is your portal managed or self-hosted?

Self-hosted (Managed has same issue)

Release: 2.23.0

Environment

Google Chrome

Ledger94 avatar Jun 06 '23 03:06 Ledger94