Skip to content

Add [Authorize] attribute to RootController to match sibling controllers (FireWatch 667635ff)#139

Merged
himanshusainig merged 1 commit into
AzureAD:masterfrom
Jordancle:jordanle/FireWatch-RootControllerAuthorize
Jun 17, 2026
Merged

Add [Authorize] attribute to RootController to match sibling controllers (FireWatch 667635ff)#139
himanshusainig merged 1 commit into
AzureAD:masterfrom
Jordancle:jordanle/FireWatch-RootControllerAuthorize

Conversation

@Jordancle

@Jordancle Jordancle commented Jun 17, 2026

Copy link
Copy Markdown
Contributor

FireWatch finding: 667635ff · IMPORTANT · CWE-862: Missing Authorization

Summary

RootController exposes an endpoint at the service root without any authorization, while all 6 sibling resource controllers (Users, Groups, BulkRequest, ResourceTypes, Schemas, ServiceProviderConfiguration) carry [Authorize]. There is no [AllowAnonymous] marker, confirming this is an oversight rather than an intentional public endpoint.

Fix

One-line change: add [Authorize] attribute to RootController to match every sibling controller.

Impact

Low risk. Any consumer with ASP.NET Core authentication configured will now have the root endpoint automatically protected. Consumers without auth middleware configured see no behavior change.

…ers (FireWatch 667635ff)

The SCIM RootController exposed an unauthenticated endpoint at the service root,
while all 6 sibling resource controllers (Users, Groups, BulkRequest,
ResourceTypes, Schemas, ServiceProviderConfiguration) carry [Authorize]. The
omission has no [AllowAnonymous] marker - it is a security oversight, not an
intentional public endpoint.

FireWatch finding 667635ff, IMPORTANT, PARTIALLY_EXPLOITABLE.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

@himanshusainig himanshusainig left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. The [Authorize] addition is consistent with all sibling controllers (UsersController, GroupsController, etc.) and the using import is correctly added. No issues with the introduced code.

@himanshusainig himanshusainig merged commit aec07c4 into AzureAD:master Jun 17, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants