Add [Authorize] attribute to RootController to match sibling controllers (FireWatch 667635ff)#139
Merged
himanshusainig merged 1 commit intoJun 17, 2026
Conversation
…ers (FireWatch 667635ff) The SCIM RootController exposed an unauthenticated endpoint at the service root, while all 6 sibling resource controllers (Users, Groups, BulkRequest, ResourceTypes, Schemas, ServiceProviderConfiguration) carry [Authorize]. The omission has no [AllowAnonymous] marker - it is a security oversight, not an intentional public endpoint. FireWatch finding 667635ff, IMPORTANT, PARTIALLY_EXPLOITABLE. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
himanshusainig
left a comment
Collaborator
There was a problem hiding this comment.
LGTM. The [Authorize] addition is consistent with all sibling controllers (UsersController, GroupsController, etc.) and the using import is correctly added. No issues with the introduced code.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
FireWatch finding:
667635ff· IMPORTANT · CWE-862: Missing AuthorizationSummary
RootControllerexposes an endpoint at the service root without any authorization, while all 6 sibling resource controllers (Users, Groups, BulkRequest, ResourceTypes, Schemas, ServiceProviderConfiguration) carry[Authorize]. There is no[AllowAnonymous]marker, confirming this is an oversight rather than an intentional public endpoint.Fix
One-line change: add
[Authorize]attribute toRootControllerto match every sibling controller.Impact
Low risk. Any consumer with ASP.NET Core authentication configured will now have the root endpoint automatically protected. Consumers without auth middleware configured see no behavior change.