Started response guards prior to use default challenge and forbid calls

.build/release.props

@@ -4,9 +4,9 @@
         <Authors>Arturo Martinez</Authors>
 		<Company>DarkLoop</Company>
         <PackageId>DarkLoop.Azure.Functions.Authorize</PackageId>
-        <IsPreview>false</IsPreview>
+        <IsPreview>true</IsPreview>
         <AssemblyVersion>3.0.0.0</AssemblyVersion>
-        <Version>3.1.1</Version>
+        <Version>3.1.2</Version>
         <FileVersion>$(Version).0</FileVersion>
         <RepositoryUrl>https://github.com/dark-loop/functions-authorize</RepositoryUrl>
         <License>https://github.com/dark-loop/functions-authorize/blob/master/LICENSE</License>

src/DarkLoop.Azure.Functions.Authorize/Security/FunctionsHttpAuthorizationHandler.cs

@@ -36,39 +36,45 @@ public async Task OnAuthorizingFunctionInstance(FunctionExecutingContext functio
 
             if (context.Result is ChallengeResult challenge)
             {
-                if (challenge.AuthenticationSchemes != null && challenge.AuthenticationSchemes.Count > 0)
+                if (!httpContext.Response.HasStarted)
                 {
-                    foreach (var scheme in challenge.AuthenticationSchemes)
+                    if (challenge.AuthenticationSchemes != null && challenge.AuthenticationSchemes.Count > 0)
                     {
-                        await httpContext.ChallengeAsync(scheme);
+                        foreach (var scheme in challenge.AuthenticationSchemes)
+                        {
+                            await httpContext.ChallengeAsync(scheme);
+                        }
                     }
-                }
-                else
-                {
-                    await httpContext.ChallengeAsync();
+                    else
+                    {
+                        await httpContext.ChallengeAsync();
+                    }
+
+                    await SetResponseAsync("Unauthorized", httpContext.Response);
                 }
 
-                await SetResponseAsync("Unauthorized", httpContext.Response);
-
                 // need to make sure function stops executing. At this moment this is the only way.
                 BombFunctionInstance(HttpStatusCode.Unauthorized);
             }
 
             if (context.Result is ForbidResult forbid)
             {
-                if (forbid.AuthenticationSchemes != null && forbid.AuthenticationSchemes.Count > 0)
+                if (!httpContext.Response.HasStarted)
                 {
-                    foreach (var scheme in forbid.AuthenticationSchemes)
+                    if (forbid.AuthenticationSchemes != null && forbid.AuthenticationSchemes.Count > 0)
                     {
-                        await httpContext.ForbidAsync(scheme);
+                        foreach (var scheme in forbid.AuthenticationSchemes)
+                        {
+                            await httpContext.ForbidAsync(scheme);
+                        }
+                    }
+                    else
+                    {
+                        await httpContext.ForbidAsync();
                     }
-                }
-                else
-                {
-                    await httpContext.ForbidAsync();
-                }
 
-                await SetResponseAsync("Forbidden", httpContext.Response);
+                    await SetResponseAsync("Forbidden", httpContext.Response);
+                }
 
                 // need to make sure function stops executing. At this moment this is the only way.
                 BombFunctionInstance(HttpStatusCode.Forbidden);