Remove insecure endpoint (#514)

Author: guardrex

8.0/BlazorWebAppOidcServer/BlazorWebAppOidcServer/Components/Layout/NavMenu.razor

@@ -20,18 +20,12 @@
             </NavLink>
         </div>
 
-        <div class="nav-item px-3">
-            <NavLink class="nav-link" href="weather-insecure">
-                <span class="bi bi-list-nested-nav-menu" aria-hidden="true"></span> Weather (Insecure)
-            </NavLink>
-        </div>
-
         <LogInOrOut />
 
         <AuthorizeView>
             <div class="nav-item px-3">
-                <NavLink class="nav-link" href="weather-secure">
-                    <span class="bi bi-list-nested-nav-menu" aria-hidden="true"></span> Weather (Secure)
+                <NavLink class="nav-link" href="weather">
+                    <span class="bi bi-list-nested-nav-menu" aria-hidden="true"></span> Weather
                 </NavLink>
             </div>
 

8.0/BlazorWebAppOidcServer/BlazorWebAppOidcServer/Components/Pages/WeatherInsecure.razor renamed to 8.0/BlazorWebAppOidcServer/BlazorWebAppOidcServer/Components/Pages/Weather.razor

@@ -1,11 +1,12 @@
-@page "/weather-insecure"
+@page "/weather"
 @using Microsoft.AspNetCore.Authorization
+@attribute [Authorize]
 @inject IConfiguration Config
 @inject IHttpClientFactory ClientFactory
 
-<PageTitle>Weather (Insecure)</PageTitle>
+<PageTitle>Weather</PageTitle>
 
-<h1>Weather (Insecure)</h1>
+<h1>Weather</h1>
 
 <p>This component demonstrates showing data.</p>
 
@@ -43,8 +44,8 @@ else
 
     protected override async Task OnInitializedAsync()
     {
-        var request = new HttpRequestMessage(HttpMethod.Get, Config["WeatherForecastInsecureUrl"]);
-        var client = ClientFactory.CreateClient();
+        var request = new HttpRequestMessage(HttpMethod.Get, "/weather-forecast");
+        var client = ClientFactory.CreateClient("ExternalApi");
 
         var response = await client.SendAsync(request);
 

8.0/BlazorWebAppOidcServer/BlazorWebAppOidcServer/Components/Pages/WeatherSecure.razor

@@ -141,8 +141,8 @@
 
 builder.Services.AddScoped<TokenHandler>();
 
-builder.Services.AddHttpClient("ExternalAPI",
-      client => client.BaseAddress = new Uri(builder.Configuration["AppBaseUri"] ?? 
+builder.Services.AddHttpClient("ExternalApi",
+      client => client.BaseAddress = new Uri(builder.Configuration["ExternalApiUri"] ?? 
           throw new Exception("Missing base address!")))
       .AddHttpMessageHandler<TokenHandler>();
 

8.0/BlazorWebAppOidcServer/BlazorWebAppOidcServer/Program.cs

@@ -6,7 +6,5 @@
     }
   },
   "AllowedHosts": "*",
-  "AppBaseUri": "https://localhost:7296",
-  "WeatherForecastInsecureUrl": "https://localhost:7277/weather-forecast-insecure",
-  "WeatherForecastSecureUrl": "https://localhost:7277/weather-forecast-secure"
+  "ExternalApiUri": "https://localhost:7277"
 }

8.0/BlazorWebAppOidcServer/BlazorWebAppOidcServer/appsettings.json

@@ -33,12 +33,7 @@
     "Freezing", "Bracing", "Chilly", "Cool", "Mild", "Warm", "Balmy", "Hot", "Sweltering", "Scorching"
 };
 
-// Secure web API for weather forecast data
-// The following MapGet call chains a call to
-// RequireAuthorization. This endpoint only
-// returns data when a user is signed into the
-// app.
-app.MapGet("/weather-forecast-secure", () =>
+app.MapGet("/weather-forecast", () =>
 {
     var forecast = Enumerable.Range(1, 5).Select(index =>
         new WeatherForecast
@@ -51,23 +46,6 @@
     return forecast;
 }).RequireAuthorization();
 
-// Insecure web API for weather forebase data
-// The following MapGet call doesn't chain a call to
-// RequireAuthorization. This endpoint returns data
-// when a user isn't signed into the app.
-app.MapGet("/weather-forecast-insecure", () =>
-{
-    var forecast = Enumerable.Range(1, 5).Select(index =>
-        new WeatherForecast
-        (
-            DateOnly.FromDateTime(DateTime.Now.AddDays(index)),
-            Random.Shared.Next(-20, 55),
-            summaries[Random.Shared.Next(summaries.Length)]
-        ))
-        .ToArray();
-    return forecast;
-});
-
 app.Run();
 
 internal record WeatherForecast(DateOnly Date, int TemperatureC, string? Summary)

8.0/BlazorWebAppOidcServer/MinimalApiJwt/Program.cs

@@ -5,7 +5,7 @@ This sample features:
 * A Blazor Web App with global Server interactivity.
 * OIDC authentication with Microsoft Entra without using Entra-specific packages. This sample can be used as a starting point for any OIDC authentication flow.
 * Automatic non-interactive token refresh with the help of a custom `CookieOidcRefresher`.
-* Both secure and insecure web API calls for weather data to a separate web API project. The access token is obtained from the server-side `HttpContext` and attached to outgoing requests with a `DelegatingHandler` service.
+* Secure web API call for weather data to a separate web API project. The access token is obtained from the server-side `HttpContext` and attached to outgoing requests with a `DelegatingHandler` service.
 
 ## Article for this sample app
 

8.0/BlazorWebAppOidcServer/README.md

@@ -20,18 +20,12 @@
             </NavLink>
         </div>
 
-        <div class="nav-item px-3">
-            <NavLink class="nav-link" href="weather-insecure">
-                <span class="bi bi-list-nested-nav-menu" aria-hidden="true"></span> Weather (Insecure)
-            </NavLink>
-        </div>
-
         <LogInOrOut />
 
         <AuthorizeView>
             <div class="nav-item px-3">
-                <NavLink class="nav-link" href="weather-secure">
-                    <span class="bi bi-list-nested-nav-menu" aria-hidden="true"></span> Weather (Secure)
+                <NavLink class="nav-link" href="weather">
+                    <span class="bi bi-list-nested-nav-menu" aria-hidden="true"></span> Weather
                 </NavLink>
             </div>
 

9.0/BlazorWebAppOidcServer/BlazorWebAppOidcServer/Components/Layout/NavMenu.razor

@@ -1,11 +1,12 @@
-@page "/weather-insecure"
+@page "/weather"
 @using Microsoft.AspNetCore.Authorization
+@attribute [Authorize]
 @inject IConfiguration Config
 @inject IHttpClientFactory ClientFactory
 
-<PageTitle>Weather (Insecure)</PageTitle>
+<PageTitle>Weather</PageTitle>
 
-<h1>Weather (Insecure)</h1>
+<h1>Weather</h1>
 
 <p>This component demonstrates showing data.</p>
 
@@ -43,8 +44,8 @@ else
 
     protected override async Task OnInitializedAsync()
     {
-        var request = new HttpRequestMessage(HttpMethod.Get, Config["WeatherForecastInsecureUrl"]);
-        var client = ClientFactory.CreateClient();
+        var request = new HttpRequestMessage(HttpMethod.Get, "/weather-forecast");
+        var client = ClientFactory.CreateClient("ExternalApi");
 
         var response = await client.SendAsync(request);
 

9.0/BlazorWebAppOidcServer/BlazorWebAppOidcServer/Components/Pages/WeatherInsecure.razor renamed to 9.0/BlazorWebAppOidcServer/BlazorWebAppOidcServer/Components/Pages/Weather.razor

@@ -154,8 +154,8 @@
 
 builder.Services.AddScoped<TokenHandler>();
 
-builder.Services.AddHttpClient("ExternalAPI",
-      client => client.BaseAddress = new Uri(builder.Configuration["AppBaseUri"] ?? 
+builder.Services.AddHttpClient("ExternalApi",
+      client => client.BaseAddress = new Uri(builder.Configuration["ExternalApiUri"] ?? 
           throw new Exception("Missing base address!")))
       .AddHttpMessageHandler<TokenHandler>();
 

9.0/BlazorWebAppOidcServer/BlazorWebAppOidcServer/Components/Pages/WeatherSecure.razor

@@ -6,7 +6,5 @@
     }
   },
   "AllowedHosts": "*",
-  "AppBaseUri": "https://localhost:7296",
-  "WeatherForecastInsecureUrl": "https://localhost:7277/weather-forecast-insecure",
-  "WeatherForecastSecureUrl": "https://localhost:7277/weather-forecast-secure"
+  "ExternalApiUri": "https://localhost:7277"
 }

9.0/BlazorWebAppOidcServer/BlazorWebAppOidcServer/Program.cs

@@ -33,12 +33,7 @@
     "Freezing", "Bracing", "Chilly", "Cool", "Mild", "Warm", "Balmy", "Hot", "Sweltering", "Scorching"
 };
 
-// Secure web API for weather forecast data
-// The following MapGet call chains a call to
-// RequireAuthorization. This endpoint only
-// returns data when a user is signed into the
-// app.
-app.MapGet("/weather-forecast-secure", () =>
+app.MapGet("/weather-forecast", () =>
 {
     var forecast = Enumerable.Range(1, 5).Select(index =>
         new WeatherForecast
@@ -51,23 +46,6 @@
     return forecast;
 }).RequireAuthorization();
 
-// Insecure web API for weather forebase data
-// The following MapGet call doesn't chain a call to
-// RequireAuthorization. This endpoint returns data
-// when a user isn't signed into the app.
-app.MapGet("/weather-forecast-insecure", () =>
-{
-    var forecast = Enumerable.Range(1, 5).Select(index =>
-        new WeatherForecast
-        (
-            DateOnly.FromDateTime(DateTime.Now.AddDays(index)),
-            Random.Shared.Next(-20, 55),
-            summaries[Random.Shared.Next(summaries.Length)]
-        ))
-        .ToArray();
-    return forecast;
-});
-
 app.Run();
 
 internal record WeatherForecast(DateOnly Date, int TemperatureC, string? Summary)

9.0/BlazorWebAppOidcServer/BlazorWebAppOidcServer/appsettings.json

@@ -5,7 +5,7 @@ This sample features:
 * A Blazor Web App with global Server interactivity.
 * OIDC authentication with Microsoft Entra without using Entra-specific packages. This sample can be used as a starting point for any OIDC authentication flow.
 * Automatic non-interactive token refresh with the help of a custom `CookieOidcRefresher`.
-* Both secure and insecure web API calls for weather data to a separate web API project. The access token is obtained from the server-side `HttpContext` and attached to outgoing requests with a `DelegatingHandler` service.
+* Secure web API call for weather data to a separate web API project. The access token is obtained from the server-side `HttpContext` and attached to outgoing requests with a `DelegatingHandler` service.
 
 ## Article for this sample app