Fix OAuth Callbacks (#734)

Author: BenjaminMichaelis

EssentialCSharp.Web/Controllers/HomeController.cs

@@ -9,8 +9,10 @@ namespace EssentialCSharp.Web.Controllers;
 
 public class HomeController(ILogger<HomeController> logger, IWebHostEnvironment hostingEnvironment, ISiteMappingService siteMappingService, IHttpContextAccessor httpContextAccessor) : Controller
 {
-    public IActionResult Index(string key)
+    public IActionResult Index()
     {
+        string? key = Request.Path.Value?.TrimStart('/');
+
         // if no key (default case), then load up home page
         SiteMapping? siteMapping = siteMappingService.SiteMappings.Find(key);
 

EssentialCSharp.Web/Program.cs

@@ -17,7 +17,20 @@ public partial class Program
 {
     private static void Main(string[] args)
     {
-        WebApplicationBuilder builder = WebApplication.CreateBuilder(args);
+        WebApplicationBuilder builder = WebApplication.CreateBuilder(args);
+
+        builder.Services.Configure<ForwardedHeadersOptions>(options =>
+        {
+            options.ForwardedHeaders =
+                ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto;
+
+            // Only loopback proxies are allowed by default.
+            // Clear that restriction because forwarders are enabled by explicit 
+            // configuration.
+            options.KnownNetworks.Clear();
+            options.KnownProxies.Clear();
+        });
+
         ConfigurationManager configuration = builder.Configuration;
         string connectionString = builder.Configuration.GetConnectionString("EssentialCSharpWebContextConnection") ?? throw new InvalidOperationException("Connection string 'EssentialCSharpWebContextConnection' not found.");
 
@@ -126,38 +139,35 @@ private static void Main(string[] args)
              {
                  microsoftoptions.ClientId = configuration["authentication:microsoft:clientid"] ?? throw new InvalidOperationException("authentication:microsoft:clientid unexpectedly null");
                  microsoftoptions.ClientSecret = configuration["authentication:microsoft:clientsecret"] ?? throw new InvalidOperationException("authentication:microsoft:clientsecret unexpectedly null");
-                 microsoftoptions.CallbackPath = "/signin-microsoft";
              })
              .AddGitHub(o =>
              {
                  o.ClientId = configuration["authentication:github:clientId"] ?? throw new InvalidOperationException("github:clientId unexpectedly null");
                  o.ClientSecret = configuration["authentication:github:clientSecret"] ?? throw new InvalidOperationException("github:clientSecret unexpectedly null");
-                 o.CallbackPath = "/signin-github";
 
                  // Grants access to read a user's profile data.
                  // https://docs.github.com/en/developers/apps/building-oauth-apps/scopes-for-oauth-apps
                  o.Scope.Add("read:user");
              });
         }
 
-        builder.Services.Configure<ForwardedHeadersOptions>(options =>
-        {
-            options.ForwardedHeaders =
-                ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto;
-        });
-
-        WebApplication app = builder.Build();
 
-        app.UseForwardedHeaders();
 
+        WebApplication app = builder.Build();
         // Configure the HTTP request pipeline.
         if (!app.Environment.IsDevelopment())
         {
             app.UseExceptionHandler("/Error");
+            app.UseForwardedHeaders();
             app.UseHsts();
             app.UseSecurityHeadersMiddleware(new SecurityHeadersBuilder()
                 .AddDefaultSecurePolicy());
         }
+        else
+        {
+            app.UseDeveloperExceptionPage();
+            app.UseForwardedHeaders();
+        }
 
         app.MapHealthChecks("/healthz");
 
@@ -169,20 +179,12 @@ private static void Main(string[] args)
         app.UseAuthentication();
         app.UseAuthorization();
         app.UseMiddleware<ReferralMiddleware>();
-
-        app.Use((context, next) =>
-        {
-            context.Request.Scheme = "https";
-            return next(context);
-        });
 
-        app.MapDefaultControllerRoute();
-        app.MapRazorPages();
 
-        app.MapControllerRoute(
-            name: "slug",
-            pattern: "{*key}",
-            defaults: new { controller = "Home", action = "Index" });
+        app.MapRazorPages();
+        app.MapDefaultControllerRoute();
+
+        app.MapFallbackToController("Index", "Home");
 
         app.Run();
     }