From 2a5cf04207b92691f5ada4c7cded84fe65b4a2ba Mon Sep 17 00:00:00 2001
From: Sipke Schoorstra <sipkeschoorstra@outlook.com>
Date: Thu, 28 Dec 2023 19:46:38 +0100
Subject: [PATCH] Update HTTP endpoint authorization handler

The default authorization handler for HTTP endpoints is now the AuthenticationBasedHttpEndpointAuthorizationHandler instead of the AllowAnonymousHttpEndpointAuthorizationHandler. The configuration was updated in HttpFeature.cs and the override in Program.cs was removed. This provides more security to HTTP endpoints by requiring authentication.
---
 src/bundles/Elsa.Server.Web/Program.cs        | 1 -
 src/modules/Elsa.Http/Features/HttpFeature.cs | 2 +-
 2 files changed, 1 insertion(+), 2 deletions(-)

diff --git a/src/bundles/Elsa.Server.Web/Program.cs b/src/bundles/Elsa.Server.Web/Program.cs
index 1f8e0e0444..229c9380f3 100644
--- a/src/bundles/Elsa.Server.Web/Program.cs
+++ b/src/bundles/Elsa.Server.Web/Program.cs
@@ -175,7 +175,6 @@
             .UseHttp(http =>
             {
                 http.ConfigureHttpOptions = options => configuration.GetSection("Http").Bind(options);
-                http.HttpEndpointAuthorizationHandler = sp => sp.GetRequiredService<AllowAnonymousHttpEndpointAuthorizationHandler>();
             })
             .UseEmail(email => email.ConfigureOptions = options => configuration.GetSection("Smtp").Bind(options))
             .UseAlterations(alterations =>
diff --git a/src/modules/Elsa.Http/Features/HttpFeature.cs b/src/modules/Elsa.Http/Features/HttpFeature.cs
index cca032350a..2a7e7caaed 100644
--- a/src/modules/Elsa.Http/Features/HttpFeature.cs
+++ b/src/modules/Elsa.Http/Features/HttpFeature.cs
@@ -53,7 +53,7 @@ public HttpFeature(IModule module) : base(module)
     /// <summary>
     /// A delegate that is invoked when authorizing an inbound HTTP request.
     /// </summary>
-    public Func<IServiceProvider, IHttpEndpointAuthorizationHandler> HttpEndpointAuthorizationHandler { get; set; } = sp => sp.GetRequiredService<AllowAnonymousHttpEndpointAuthorizationHandler>();
+    public Func<IServiceProvider, IHttpEndpointAuthorizationHandler> HttpEndpointAuthorizationHandler { get; set; } = sp => sp.GetRequiredService<AuthenticationBasedHttpEndpointAuthorizationHandler>();
 
     /// <summary>
     /// A delegate that is invoked when an HTTP workflow faults.