Return 500 error from incorrectly configured yarp endpoints

josephdecock · josephdecock · commit e94f4e769c7c · 2023-07-05T20:13:41.000-05:00
diff --git a/src/Duende.Bff.Yarp/AccessTokenTransformProvider.cs b/src/Duende.Bff.Yarp/AccessTokenTransformProvider.cs
@@ -5,7 +5,9 @@
 using System.Collections.Generic;
 using System.Diagnostics.CodeAnalysis;
 using System.Linq;
+using System.Threading.Tasks;
 using Duende.AccessTokenManagement;
+using Duende.Bff.Logging;
 using Microsoft.Extensions.Logging;
 using Microsoft.Extensions.Options;
 using Yarp.ReverseProxy.Transforms;
@@ -19,18 +21,21 @@ namespace Duende.Bff.Yarp;
 public class AccessTokenTransformProvider : ITransformProvider
 {
     private readonly BffOptions _options;
+    private readonly ILogger<AccessTokenTransformProvider> _logger;
     private readonly ILoggerFactory _loggerFactory;
     private readonly IDPoPProofService _dPoPProofService;
 
     /// <summary>
     /// ctor
     /// </summary>
     /// <param name="options"></param>
+    /// <param name="logger"></param>
     /// <param name="loggerFactory"></param>
     /// <param name="dPoPProofService"></param>
-    public AccessTokenTransformProvider(IOptions<BffOptions> options, ILoggerFactory loggerFactory, IDPoPProofService dPoPProofService)
+    public AccessTokenTransformProvider(IOptions<BffOptions> options, ILogger<AccessTokenTransformProvider> logger, ILoggerFactory loggerFactory, IDPoPProofService dPoPProofService)
     {
         _options = options.Value;
+        _logger = logger;
         _loggerFactory = loggerFactory;
         _dPoPProofService = dPoPProofService;
     }
@@ -78,10 +83,19 @@ public void Apply(TransformBuilderContext transformBuildContext)
         bool optional;
         if(GetMetadataValue(transformBuildContext, Constants.Yarp.OptionalUserTokenMetadata, out var optionalTokenMetadata))
         {
+            if (GetMetadataValue(transformBuildContext, Constants.Yarp.TokenTypeMetadata, out var tokenTypeMetadata))
+            {
+                transformBuildContext.AddRequestTransform(ctx =>
+                {
+                    ctx.HttpContext.Response.StatusCode = 500;
+                    _logger.InvalidRouteConfiguration(transformBuildContext.Route.ClusterId, transformBuildContext.Route.RouteId);
+
+                    return ValueTask.CompletedTask;
+                });
+                return;
+            }
             optional = true;
             tokenType = TokenType.User;
-            // TODO - is it an error to set both OptionalUserToken and a token type? I think yes, because setting a token type means
-            // setting a *required* token type.
         } 
         else if (GetMetadataValue(transformBuildContext, Constants.Yarp.TokenTypeMetadata, out var tokenTypeMetadata))
         {
diff --git a/src/Duende.Bff/General/Log.cs b/src/Duende.Bff/General/Log.cs
@@ -18,6 +18,7 @@ internal static class EventIds
     public static readonly EventId BackChannelLogout = new (2, "BackChannelLogout");
     public static readonly EventId BackChannelLogoutError = new (3, "BackChannelLogoutError");
     public static readonly EventId AccessTokenMissing = new (4, "AccessTokenMissing");
+    public static readonly EventId InvalidRouteConfiguration = new (5, "InvalidRouteConfiguration");
 }
     
 internal static class Log
@@ -42,6 +43,10 @@ internal static class Log
         EventIds.AccessTokenMissing,
         "Access token is missing. token type: '{tokenType}', local path: '{localpath}', detail: '{detail}'");
 
+    private static readonly Action<ILogger, string, string, Exception?> _invalidRouteConfiguration = LoggerMessage.Define<string, string>(
+        LogLevel.Warning,
+        EventIds.InvalidRouteConfiguration,
+        "Invalid route configuration. Cannot combine a required access token (a call to WithAccessToken) and an optional access token (a call to WithOptionalUserAccessToken). clusterId: '{clusterId}', routeId: '{routeId}'");
 
     public static void AntiForgeryValidationFailed(this ILogger logger, string localPath)
     {
@@ -62,4 +67,9 @@ public static void AccessTokenMissing(this ILogger logger, string tokenType, str
     {
         _accessTokenMissing(logger, tokenType, localPath, detail, null);
     }
+
+    public static void InvalidRouteConfiguration(this ILogger logger, string? clusterId, string routeId)
+    {
+        _invalidRouteConfiguration(logger, clusterId ?? "no cluster id", routeId, null);
+    }
 }

Original file line number	Diff line number	Diff line change
`@@ -18,6 +18,7 @@ internal static class EventIds`
`18`	`18`	`public static readonly EventId BackChannelLogout = new (2, "BackChannelLogout");`
`19`	`19`	`public static readonly EventId BackChannelLogoutError = new (3, "BackChannelLogoutError");`
`20`	`20`	`public static readonly EventId AccessTokenMissing = new (4, "AccessTokenMissing");`
	`21`	`+ public static readonly EventId InvalidRouteConfiguration = new (5, "InvalidRouteConfiguration");`
`21`	`22`	`}`
`22`	`23`
`23`	`24`	`internal static class Log`
`@@ -42,6 +43,10 @@ internal static class Log`
`42`	`43`	`EventIds.AccessTokenMissing,`
`43`	`44`	`"Access token is missing. token type: '{tokenType}', local path: '{localpath}', detail: '{detail}'");`
`44`	`45`
	`46`	`+ private static readonly Action<ILogger, string, string, Exception?> _invalidRouteConfiguration = LoggerMessage.Define<string, string>(`
	`47`	`+ LogLevel.Warning,`
	`48`	`+ EventIds.InvalidRouteConfiguration,`
	`49`	`+ "Invalid route configuration. Cannot combine a required access token (a call to WithAccessToken) and an optional access token (a call to WithOptionalUserAccessToken). clusterId: '{clusterId}', routeId: '{routeId}'");`
`45`	`50`
`46`	`51`	`public static void AntiForgeryValidationFailed(this ILogger logger, string localPath)`
`47`	`52`	`{`
`@@ -62,4 +67,9 @@ public static void AccessTokenMissing(this ILogger logger, string tokenType, str`
`62`	`67`	`{`
`63`	`68`	`_accessTokenMissing(logger, tokenType, localPath, detail, null);`
`64`	`69`	`}`
	`70`	`+`
	`71`	`+ public static void InvalidRouteConfiguration(this ILogger logger, string? clusterId, string routeId)`
	`72`	`+ {`
	`73`	`+ _invalidRouteConfiguration(logger, clusterId ?? "no cluster id", routeId, null);`
	`74`	`+ }`
`65`	`75`	`}`