hotchocolate-examples icon indicating copy to clipboard operation
hotchocolate-examples copied to clipboard
verified publisher icon ChilliCream

[Authorize] appears to merely fake the response

Open marius00 opened this issue 3 years ago • 1 comments

Create a project following the steps in https://chillicream.com/docs/hotchocolate/v12/security/authentication and https://chillicream.com/docs/hotchocolate/v12/security/authorization

You'll now have a class with [Authorize], a basic query class which resolves on id/resolve all/whatever, and supposedly secured by a JWT token.

Performing a graphql to the endpoint without a JWT token (or an invalid one) will result in the error "The current user is not authorized to access this resource" as expected, but the endpoint is called, all the code is executed, only the response is altered.

No actual authentication/authorization checks are run at all before executing the code. Only the response is faked to indicate that the query failed.

marius00 avatar Oct 15 '22 20:10 marius00

Might have been fixed in https://github.com/ChilliCream/graphql-platform/pull/5819/files

Not tested it.

marius00 avatar May 05 '25 04:05 marius00