Commit Graph

1 Commits

  • .NET: DevUI: add configurable access controls for the DevUI HTTP surface (#5739)
    * .NET: DevUI: add configurable access controls for the DevUI HTTP surface
    
    * .NET: DevUI: address review and fix dotnet format
    
    - Restore parameterless AddDevUI overloads for binary compatibility on
      IServiceCollection and IHostApplicationBuilder.
    - Keep /meta outside the auth-filtered group so the frontend can discover
      whether a bearer token is required before prompting for one. Surface the
      actual requirement via MetaResponse.auth_required.
    - Invoke DevUIOptions.ConfigureEndpoints before mapping protected endpoints
      so RouteGroupBuilder conventions (RequireAuthorization, rate limiting)
      reliably apply.
    - Treat a null RemoteIpAddress as non-loopback in DevUIAuthFilter; tests
      now set IPAddress.Loopback explicitly when exercising the loopback path.
    - Add a DEVUI_AUTH_TOKEN env-var fallback test and a /meta-public test.
    - Fix dotnet format: add UTF-8 BOM to new files, simplify a cref in
      DevUIOptions, and drop an unused using in the new test.
    
    * .NET: DevUI: add missing authRequired param XML tag
    
    * .NET: DevUI tests: set loopback/AllowRemoteAccess for null-RemoteIp default
    
    DevUIIntegrationTests use the default TestServer which leaves RemoteIpAddress
    null. With the new conservative loopback default those tests now hit 403; set
    AllowRemoteAccess on the option since those tests are not exercising access
    control. Also add the missing SimulateRemoteIp call in the wrong-bearer test.
    
    * .NET: DevUI tests: capture DEVUI_AUTH_TOKEN before parallel tests can see it
    
    The env-var test was leaking DEVUI_AUTH_TOKEN into parallel DevUIIntegrationTests,
    intermittently causing their requests to be rejected as 401. Eagerly resolve the
    singleton DevUIAuthFilter so its constructor captures the token, then restore the
    env var before any HTTP requests run.