WEB API 6.0 - Return 500 instead of 401 when post large data with anonymous

[bitsystem79]

Step to reproduce:

Create a Web API with a JWT Authentication and Create a simple controller in order to post a file (10 MB about) with Authorize attribute.

Deploy your APP on Azure (or IIS, it should be the same).

Test your API without authenticating through Chrome by simulating bad internet connection (press F12 on Chrome, go to Network tab and choose “Fast 3G”.

You’ll see a 500 server error, not 401, and backend side you’ll see something like “the application completed without reading the entire request body” which means that NET Core is waiting for full request body before understand that the call needs to be rejected because no JWT Token has been passed.

So it's dangerous for DoS attack also.

[halter73]

the application completed without reading the entire request body

There's probably an uncaught exception that was thrown before this leading to the 500. Can you enable (preferably trace-level) ASP.NET Core Logging and provide the logs from when the issue occurs?

which means that NET Core is waiting for full request body before understand that the call needs to be rejected because no JWT Token has been passed.

This seems unlikely. ASP.NET Core does not typically read the request body prior to authenticating the request.

Hi @bitsystem79. We have added the "Needs: Author Feedback" label to this issue, which indicates that we have an open question for you before we can take further action. This issue will be closed automatically in 7 days if we do not hear back from you by then - please feel free to re-open it if you come back to this issue after that time.

[bitsystem79]

@halter73 this is the log of Serilog on AppInsight and this is the only log I've seen:
[INF] Connection id "...", Request id "..:": the application completed without reading the entire request body.
[INF] Connection id "...", Request id "...": automatic draining of the request body timed out after taking over 5 seconds.

[bitsystem79]

the application completed without reading the entire request body

There's probably an uncaught exception that was thrown before this leading to the 500. Can you enable (preferably trace-level) ASP.NET Core Logging and provide the logs from when the issue occurs?

which means that NET Core is waiting for full request body before understand that the call needs to be rejected because no JWT Token has been passed.

This seems unlikely. ASP.NET Core does not typically read the request body prior to authenticating the request.

@halter73 other ideas?

[amcasey]

@bitsystem79 Does your serilog output include the logs from Microsoft.AspNetCore? That's where I'd expect the exception Stephen was asking about to be reported. If not, can you please enable those logs and try again?