elsa-core icon indicating copy to clipboard operation
elsa-core copied to clipboard

Published 20 hours ago verified publisher icon elsa-workflows

Dispatch and Trigger Controller Actions Unexpectedly Included in all Swagger API Definitions in a Solution

Open jamshally opened this issue 3 years ago • 2 comments

Type:

Bug

Summary

Actual Behavior: Elsa.Activities.Http DispatchEndPoint and TriggerEndPoint endpoints are showing up in all Swagger API Definitions for all Web API projects in a solution, even when not explicitly configured to do so

Expected Behavior: the Elsa.Activities.Http DispatchEndPoint and TriggerEndPoint endpoints should only show up in Swagger API Definitions when they have been explicitly configured to be part of the Web API project

For a quick visual of the issue, see the screenshots at the end of this ticket

Problem This Causes

  • It is alarming, and a potential security concern, to find endpoints exposed through your own API without explicit configuration
  • In solutions with multiple Web API projects, the DispatchEndPoint and TriggerEndPoint somehow show up in all the Web API projects, not just the Web API projects for the Elsa workflow API

Reproduction Steps

  1. Create a new Web API Project in Visual Studio
  2. Run Web API and navigate to the Swagger UI Page (See Screenshot A below)
  3. Observer only the Get /WeatherForcast Endpoint
  4. Stop Web API, and add Elsa.Activities.Http
    • Note: Do NOT configure any Elsa services in the startup.cs (or program.cs) file
  5. Run Web API and navigate to the Swagger UI page
  6. Observe the DispatchEndPoint and TriggerEndPoint (See Screenshot B below)

Environment

  • Windows 10
  • Visual Studio 2022
  • .Net 6
  • Elsa.Activities.Http v2.4.0.1

Screenshots

A) --- Vanilla Web API Project ---

image

B) --- Vanilla Web API Project, Elsa.Activities.Http Nuget Package references, but no Elsa configuration ---

image

Coding Comments

Looking at the source code, I have been unable to see exactly how or why this controller self-registration behavior happens, and am very curious to understand the mechanism by which it occurs. I think maybe the 'Add Features' method is getting executed in the ElsaOptionsBuilder class, but how/why is this method getting excuted?

Other Comments

Thanks for the great work on this library. I have been looking for an alternative to 'Azure Logic Apps' that is better suited to local and cross-platform development - and this looks like a great fit.

jamshally avatar Jan 25 '22 12:01 jamshally

Hi @jamshally

Thanks for this great & detailed issue!

As far as I know, this is normal behavior when adding swagger to the system where it uses the API explorer service to discover all controllers & actions in the system.

When adding the Elsa.Activities.Http library, your application suddenly inherits controllers exposed by this library.

I haven't found a way yet to let the user map controllers into their system explicitly, rather than implicitly. For Elsa 3 I'm considering to rely on minimal APIs only, where it's up to the user to choose what endpoints they wish to map.

But surely there's a way to control this for API controllers too.

sfmskywalker avatar Feb 14 '22 11:02 sfmskywalker

I have this problem right now, and it is very concerning. We thought that using AddElsaApiEndpoints or AddElsaSwagger extensions enabled this, not just using a package that has some elsa references.

sjd2021 avatar Sep 20 '22 19:09 sjd2021