IFormFile/IFormFileCollection support for authenticated requests in minimal APIs

[Rick-Anderson]

IFormFile/IFormFileCollection support for authenticated requests in minimal APIs

See #26345 Code done, see #26453 can't publish until .NET 7 . See also test sample

[Rick-Anderson]

@martincostello can you update the code from #26494 to use authenticated requests?

[martincostello]

Might that get a bit scope-creepy having to configure a whole app's worth of auth stuff into a non-auth sample to just go "oh, and it works in that context too now"?

It's not really relevant to the file upload functionality in of itself other than before preview 1 it was actively blocked as the security-concerns hadn't been addressed at that point.

Feels to me it's equivalent to if there was a feature that only worked on Windows for a while, and then later it also worked on other OSs. You wouldn't update the samples to prove they also now worked on the other operating systems.

Or am I misunderstanding exactly what you're asking for?

[Rick-Anderson]

@martincostello do you think if we just say authenticated requests are supported, that's enough?

[martincostello]

Maybe just something that points the user to consider whether they would also need to incorporate anti-forgery like in the blog post?

There is no built-in support for anti-forgery in minimal APIs. However, it can be implemented using the IAntiforgery service.

[Rick-Anderson]

Might that get a bit scope-creepy having to configure a whole app's worth of auth stuff into a non-auth sample to just go "oh, and it works in that context too now"?

If I use JWT like this sample it one short file. But even that doesn't seem worth doing.

Maybe just something that points the user to consider whether they would also need to incorporate anti-forgery like in the blog post?

There is no built-in support for anti-forgery in minimal APIs. However, it can be implemented using the IAntiforgery service.

Agreed, I'll do that.