Merge pull request #102 from DuendeSoftware/dom/metadata-orderingD

Fix metadata order parsing
DuendeSoftware · Jun 13, 2022 · 9cddd16 · 9cddd16
2 parents a906233 + baa3137
commit 9cddd16
Showing 1 changed file with 8 additions and 11 deletions.
diff --git a/src/Duende.Bff/BffMiddleware.cs b/src/Duende.Bff/BffMiddleware.cs
@@ -51,19 +51,15 @@ public async Task Invoke(HttpContext context)
             return;
         }
 
-        var localEndpointMetadata = endpoint.Metadata.GetOrderedMetadata<BffApiAttribute>();
-        if (localEndpointMetadata.Any())
+        var localEndpointMetadata = endpoint.Metadata.GetMetadata<BffApiAttribute>();
+        if (localEndpointMetadata is { RequireAntiForgeryCheck: true })
         {
-            var requireLocalAntiForgeryCheck = localEndpointMetadata.First().RequireAntiForgeryCheck;
-            if (requireLocalAntiForgeryCheck)
+            if (!context.CheckAntiForgeryHeader(_options))
             {
-                if (!context.CheckAntiForgeryHeader(_options))
-                {
-                    _logger.AntiForgeryValidationFailed(context.Request.Path);
+                _logger.AntiForgeryValidationFailed(context.Request.Path);
 
-                    context.Response.StatusCode = 401;
-                    return;
-                }
+                context.Response.StatusCode = 401;
+                return;
             }
         }
         else
@@ -82,7 +78,7 @@ public async Task Invoke(HttpContext context)
         }
 
 #if NETCOREAPP3_1
-        context.Response.OnStarting(() => 
+        context.Response.OnStarting(() =>
         {
             // outbound: for .NET Core 3.1 - we assume that an API will never return a 302
             // if a 302 is returned, that must be the challenge to the OIDC provider
@@ -101,6 +97,7 @@ public async Task Invoke(HttpContext context)
                     context.Response.Headers.Remove("Set-Cookie");
                 }
             }
+
             return Task.CompletedTask;
         });
 #endif