问题
Currently in auth/login, you can use any Get. How do I restrict GET keyword for certain built in services. We had a pentest finding stating that auth/login should not be allowed via the Get keyword but only put or post.
回答1:
If you're referring to HTTP GET requests, you can register a Global Request Filter to short-circuit Authenticate HTTP GET requests with:
GlobalRequestFilters.Add((req, res, requestDto) => {
if (requestDto is Authenticate auth && req.Verb == HttpMethods.Get)
{
res.StatusCode = (int)HttpStatusCode.MethodNotAllowed;
res.EndRequest();
}
});
I've also disabled GET Authenticate requests by default (for non OAuth Providers) in this commit from v5.4.1+ that's now available on MyGet, it can be re-enabled with:
Plugins.Add(new AuthFeature(...) {
AllowGetAuthenticateRequests = req => true
});
来源:https://stackoverflow.com/questions/54979352/disable-get-keyword-in-servicestack-login