-1

I was just testing a new POST method, and I accidentally sent an unauthorized GET request, and the response I got was:

"message": "The requested resource does not support http method 'GET'."

But when I sent a POST request, I got this response:

"message": "Authorization has been denied for this request."

Shouldn't I be getting the unauthorized message no matter what I do if I'm not authorized or even authenticated?

Here's the method:

[Route("api/search"), HttpPost, Authorize]
public async Task<IHttpActionResult> Search()
{
   ...
}

I have tried decorating the controller, and the method with the [Authorize] attribute, and I have a global filter set as well.

Shahin Dohan
  • 6,149
  • 3
  • 41
  • 58

1 Answers1

1

The message you got back for GET was entirely accurate. You don't have a GET decorated action, so therefore The requested resource does not support http method 'GET'.

Your concern about getting the not authorized instead doesn't work due to the fact that the API must first try and find a method that matches your request signature. Since it can't find a GET then it returns the error for that.

gilliduck
  • 2,762
  • 2
  • 16
  • 32
  • So it's by design, which is expected I guess. I'm surprised though, since I imagine it should be possible for WebAPI to already know whether I'm authorized before doing anything else, I expected to always get unauthorized errors no matter what so no information leaks out of the API to be used maliciously. – Shahin Dohan Oct 06 '18 at 22:03
  • 1
    Routing happens first apparently. I don't have documentation to back it up, but based on behavior it seems to be the case. – gilliduck Oct 06 '18 at 22:33