Mastering API Security: A Guide to Conditional Authorization and Swagger Customization

In this blog, I will be sharing insights on how to effectively manage Conditional Authorization and Swagger Customization.
 

Case 1
 
I'm currently working on a problem our QA team found while testing our website. Specifically, there's an issue with one of the features in the application that uses an API. In the QA environment, we need to allow access without authentication, but in the production environment, authentication is required.

To fix this, I added a feature called Conditional Authorize Attribute with help of Environment Variable. This feature lets us control access to the API based on the environment. It allows anonymous access when necessary.


 

In my situation, I've added a environment variable setting called "ASPNETCORE_ENVIRONMENT" to "QA" in the testing site's pipeline. Because of this, I can use the API on the QA server without requiring authentication.

 

This method also helps specific authorization rules for the API based on the environment.

 

Case 2

Additionally, I've added Swagger requests into a value object to meet specific requirements on swagger.

By extending the Swashbuckle Swagger IOperationFilter, I integrated logic tailored to our needs.

This approach allows us to customize requests in Swagger for all APIs directly.




 

Furthermore, I've implemented a middleware designed to handle responses and here's how it works.

1. In my case, there are three kinds of response class in my code that specify the response type (like ApiErrorResponse, ValidatorResponse, ResponseModel).
2. According to the requirements, when we get a 200-status code with the correct response class model, I need to wrap the response object in a value format.
3. I created a middleware for this. It figures out which endpoint we're dealing with through the HttpContext.
4. Using that endpoint, I grab the metadata related to the ProducesResponseTypeAttribute class and check for a status code of OK (Metadata Extraction).
5. If I manage to get the metadata with a status code of 200, I include that response in value format. Otherwise, I stick with the same model response.

This helps you to modify the response as per needed outcome.



These implementations provide a flexible solution for conditionally authorizing API access and wrapping request/response in an object according to specified requirements.