[Question] Authorization (.NET 8 template)

[jochem4207]

Hello,

This is purely a question, there doesn't seem to be any other way to ask them so thats why I created a bug report.

Question
Is there a reason why only the GetTodosQuery has the [Authorize] Attribute? To me it seems that the entire controller or All todo interactions should be locked?
For me it feels if the user would use a direct uri to /todo/{id} it would work (cause the ExportTodosQuery is not marked with an [Authorize] but the /todo is authorized. So it looks weird.

Is this purely because its a demo to show that some actions are authorized and some not? Does the front-end automatically pickup on this?

Thank you a lot for this template!

[jochem4207]

After some digging I found that the ApiController has the [Authorize] attribute, this means all backend calls need authorization. I happily don't have the need right now to have an unauthorized api controller.

But for example, when I remove the authorize from apicontroller and put it on the ToDoListsController, the action gives a 401 and the front end doesn't handle the 401 by redirecting to the login page (Angular).

Edit;

Also the 403 error is not really handled nicely, but thats I think up to me to change that;

When using this for example on the delete command of todolist, there is a 403 and nothing happens.
[Authorize(Roles = "Administrator")]
[Authorize(Policy = "CanPurge")]

Anyway, still really happy.

I'm a beginner with some experience, so my questions may be due not understanding how auth is implemented over angular/.net.