Avoid cookie login redirects for known API endpoints (#62816)

Author: halter73

src/Http/Http.Abstractions/src/Metadata/ApiEndpointMetadata.cs

@@ -0,0 +1,20 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+
+namespace Microsoft.AspNetCore.Http.Metadata;
+
+/// <summary>
+/// Metadata that indicates the endpoint is intended for API clients.
+/// When present, authentication handlers should prefer returning status codes over browser redirects.
+/// </summary>
+internal sealed class ApiEndpointMetadata : IApiEndpointMetadata
+{
+    /// <summary>
+    /// Singleton instance of <see cref="ApiEndpointMetadata"/>.
+    /// </summary>
+    public static readonly ApiEndpointMetadata Instance = new();
+
+    private ApiEndpointMetadata()
+    {
+    }
+}

src/Http/Http.Abstractions/src/Metadata/IApiEndpointMetadata.cs

@@ -0,0 +1,12 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+
+namespace Microsoft.AspNetCore.Http.Metadata;
+
+/// <summary>
+/// Metadata that indicates the endpoint is an API intended for programmatic access rather than direct browser navigation.
+/// When present, authentication handlers should prefer returning status codes over browser redirects.
+/// </summary>
+public interface IApiEndpointMetadata
+{
+}

src/Http/Http.Abstractions/src/Microsoft.AspNetCore.Http.Abstractions.csproj

@@ -35,7 +35,6 @@ Microsoft.AspNetCore.Http.HttpResponse</Description>
   </ItemGroup>
 
   <ItemGroup>
-    <InternalsVisibleTo Include="Microsoft.AspNetCore.Http.Abstractions.Microbenchmarks" />
     <InternalsVisibleTo Include="Microsoft.AspNetCore.Http.Extensions" />
     <InternalsVisibleTo Include="Microsoft.AspNetCore.Http.Results" />
   </ItemGroup>
@@ -61,5 +60,6 @@ Microsoft.AspNetCore.Http.HttpResponse</Description>
 
   <ItemGroup>
     <InternalsVisibleTo Include="Microsoft.AspNetCore.Http.Abstractions.Tests" />
+    <InternalsVisibleTo Include="Microsoft.AspNetCore.Http.Abstractions.Microbenchmarks" />
   </ItemGroup>
 </Project>

src/Http/Http.Abstractions/src/PublicAPI.Unshipped.txt

@@ -1,4 +1,5 @@
 #nullable enable
+Microsoft.AspNetCore.Http.Metadata.IApiEndpointMetadata
 Microsoft.AspNetCore.Http.Metadata.IDisableValidationMetadata
 Microsoft.AspNetCore.Http.ProducesResponseTypeMetadata.Description.get -> string?
 Microsoft.AspNetCore.Http.ProducesResponseTypeMetadata.Description.set -> void

src/Http/Http.Extensions/gen/Microsoft.AspNetCore.Http.RequestDelegateGenerator/RequestDelegateGenerator.cs

@@ -248,7 +248,12 @@ public void Initialize(IncrementalGeneratorInitializationContext context)
 
                 if (hasFormBody)
                 {
-                    codeWriter.WriteLine(RequestDelegateGeneratorSources.AntiforgeryMetadataType);
+                    codeWriter.WriteLine(RequestDelegateGeneratorSources.AntiforgeryMetadataClass);
+                }
+
+                if (hasJsonBody || hasResponseMetadata)
+                {
+                    codeWriter.WriteLine(RequestDelegateGeneratorSources.ApiEndpointMetadataClass);
                 }
 
                 if (hasFormBody || hasJsonBody || hasResponseMetadata)

src/Http/Http.Extensions/gen/Microsoft.AspNetCore.Http.RequestDelegateGenerator/RequestDelegateGeneratorSources.cs

@@ -479,19 +479,39 @@ internal ParameterBindingMetadata(
     }
 """;
 
-    public static string AntiforgeryMetadataType = """
-file sealed class AntiforgeryMetadata : IAntiforgeryMetadata
-{
-    public static readonly IAntiforgeryMetadata ValidationRequired = new AntiforgeryMetadata(true);
-
-    public AntiforgeryMetadata(bool requiresValidation)
+    public static string AntiforgeryMetadataClass = """
+    file sealed class AntiforgeryMetadata : IAntiforgeryMetadata
     {
-        RequiresValidation = requiresValidation;
+        public static readonly IAntiforgeryMetadata ValidationRequired = new AntiforgeryMetadata(true);
+
+        public AntiforgeryMetadata(bool requiresValidation)
+        {
+            RequiresValidation = requiresValidation;
+        }
+
+        public bool RequiresValidation { get; }
     }
+""";
 
-    public bool RequiresValidation { get; }
-}
+    public static string ApiEndpointMetadataClass = """
+    file sealed class ApiEndpointMetadata : IApiEndpointMetadata
+    {
+        public static readonly ApiEndpointMetadata Instance = new();
+
+        private ApiEndpointMetadata()
+        {
+        }
+
+        public static void AddApiEndpointMetadataIfMissing(EndpointBuilder builder)
+        {
+            if (!builder.Metadata.Any(m => m is IApiEndpointMetadata))
+            {
+                builder.Metadata.Add(Instance);
+            }
+        }
+    }
 """;
+
     public static string GetGeneratedRouteBuilderExtensionsSource(string endpoints, string helperMethods, string helperTypes, ImmutableHashSet<string> verbs) => $$"""
 {{SourceHeader}}
 

src/Http/Http.Extensions/gen/Microsoft.AspNetCore.Http.RequestDelegateGenerator/StaticRouteHandlerModel/StaticRouteHandlerModel.Emitter.cs

@@ -205,7 +205,7 @@ private static void EmitBuiltinResponseTypeMetadata(this Endpoint endpoint, Code
             return;
         }
 
-        if (!endpoint.Response.IsAwaitable && (response.HasNoResponse || response.IsIResult))
+        if (response.HasNoResponse || response.IsIResult)
         {
             return;
         }
@@ -215,13 +215,10 @@ private static void EmitBuiltinResponseTypeMetadata(this Endpoint endpoint, Code
         {
             codeWriter.WriteLine($"options.EndpointBuilder.Metadata.Add(new ProducesResponseTypeMetadata(statusCode: StatusCodes.Status200OK, type: typeof(string), contentTypes: GeneratedMetadataConstants.PlaintextContentType));");
         }
-        else if (response.IsAwaitable && response.ResponseType == null)
-        {
-            codeWriter.WriteLine($"options.EndpointBuilder.Metadata.Add(new ProducesResponseTypeMetadata(statusCode: StatusCodes.Status200OK, type: typeof(void), contentTypes: GeneratedMetadataConstants.PlaintextContentType));");
-        }
         else if (response.ResponseType is { } responseType)
         {
             codeWriter.WriteLine($$"""options.EndpointBuilder.Metadata.Add(new ProducesResponseTypeMetadata(statusCode: StatusCodes.Status200OK, type: typeof({{responseType.ToDisplayString(EmitterConstants.DisplayFormatWithoutNullability)}}), contentTypes: GeneratedMetadataConstants.JsonContentType));""");
+            codeWriter.WriteLine("ApiEndpointMetadata.AddApiEndpointMetadataIfMissing(options.EndpointBuilder);");
         }
     }
 
@@ -339,13 +336,15 @@ public static void EmitJsonAcceptsMetadata(this Endpoint endpoint, CodeWriter co
             codeWriter.WriteLine("if (!serviceProviderIsService.IsService(type))");
             codeWriter.StartBlock();
             codeWriter.WriteLine("options.EndpointBuilder.Metadata.Add(new AcceptsMetadata(type: type, isOptional: isOptional, contentTypes: GeneratedMetadataConstants.JsonContentType));");
+            codeWriter.WriteLine("options.EndpointBuilder.Metadata.Add(ApiEndpointMetadata.Instance);");
             codeWriter.WriteLine("break;");
             codeWriter.EndBlock();
             codeWriter.EndBlock();
         }
         else
         {
-            codeWriter.WriteLine($"options.EndpointBuilder.Metadata.Add(new AcceptsMetadata(contentTypes: GeneratedMetadataConstants.JsonContentType));");
+            codeWriter.WriteLine("options.EndpointBuilder.Metadata.Add(new AcceptsMetadata(contentTypes: GeneratedMetadataConstants.JsonContentType));");
+            codeWriter.WriteLine("options.EndpointBuilder.Metadata.Add(ApiEndpointMetadata.Instance);");
         }
     }
 

src/Http/Http.Extensions/src/RequestDelegateFactory.cs

@@ -401,7 +401,14 @@ private static Expression[] CreateArgumentsAndInferMetadata(MethodInfo methodInf
                 InferAntiforgeryMetadata(factoryContext);
             }
 
-            PopulateBuiltInResponseTypeMetadata(methodInfo.ReturnType, factoryContext.EndpointBuilder);
+            // If this endpoint expects a JSON request body, we assume its an API endpoint not intended for browser navigation.
+            // When present, authentication handlers should prefer returning status codes over browser redirects.
+            if (factoryContext.JsonRequestBodyParameter is not null)
+            {
+                factoryContext.EndpointBuilder.Metadata.Add(ApiEndpointMetadata.Instance);
+            }
+
+            PopulateBuiltInResponseTypeMetadata(methodInfo.ReturnType, factoryContext);
 
             // Add metadata provided by the delegate return type and parameter types next, this will be more specific than inferred metadata from above
             EndpointMetadataPopulator.PopulateMetadata(methodInfo, factoryContext.EndpointBuilder, factoryContext.Parameters);
@@ -1023,37 +1030,40 @@ private static Expression CreateParamCheckingResponseWritingMethodCall(Type retu
         return Expression.Block(localVariables, checkParamAndCallMethod);
     }
 
-    private static void PopulateBuiltInResponseTypeMetadata(Type returnType, EndpointBuilder builder)
+    private static void PopulateBuiltInResponseTypeMetadata(Type returnType, RequestDelegateFactoryContext factoryContext)
     {
         if (returnType.IsByRefLike)
         {
             throw GetUnsupportedReturnTypeException(returnType);
         }
 
-        var isAwaitable = false;
         if (CoercedAwaitableInfo.IsTypeAwaitable(returnType, out var coercedAwaitableInfo))
         {
             returnType = coercedAwaitableInfo.AwaitableInfo.ResultType;
-            isAwaitable = true;
         }
 
         // Skip void returns and IResults. IResults might implement IEndpointMetadataProvider but otherwise we don't know what it might do.
-        if (!isAwaitable && (returnType == typeof(void) || typeof(IResult).IsAssignableFrom(returnType)))
+        if (returnType == typeof(void) || typeof(IResult).IsAssignableFrom(returnType))
         {
             return;
         }
 
+        var builder = factoryContext.EndpointBuilder;
+
         if (returnType == typeof(string))
         {
             builder.Metadata.Add(ProducesResponseTypeMetadata.CreateUnvalidated(type: typeof(string), statusCode: 200, PlaintextContentType));
         }
-        else if (returnType == typeof(void))
-        {
-            builder.Metadata.Add(ProducesResponseTypeMetadata.CreateUnvalidated(returnType, statusCode: 200, PlaintextContentType));
-        }
         else
         {
             builder.Metadata.Add(ProducesResponseTypeMetadata.CreateUnvalidated(returnType, statusCode: 200, DefaultAcceptsAndProducesContentType));
+
+            if (factoryContext.JsonRequestBodyParameter is null)
+            {
+                // Since this endpoint responds with JSON, we assume its an API endpoint not intended for browser navigation,
+                // but we don't want to bother adding this metadata twice if we've already inferred it based on the expected JSON request body.
+                builder.Metadata.Add(ApiEndpointMetadata.Instance);
+            }
         }
     }
 

src/Http/Http.Extensions/test/RequestDelegateFactoryTests.cs

@@ -2533,7 +2533,7 @@ public void Create_AddJsonResponseType_AsMetadata()
         var @delegate = () => new object();
         var result = RequestDelegateFactory.Create(@delegate);
 
-        var responseMetadata = Assert.IsAssignableFrom<IProducesResponseTypeMetadata>(Assert.Single(result.EndpointMetadata));
+        var responseMetadata = Assert.Single(result.EndpointMetadata.OfType<IProducesResponseTypeMetadata>());
 
         Assert.Equal("application/json", Assert.Single(responseMetadata.ContentTypes));
         Assert.Equal(typeof(object), responseMetadata.Type);
@@ -2545,7 +2545,7 @@ public void Create_AddPlaintextResponseType_AsMetadata()
         var @delegate = () => "Hello";
         var result = RequestDelegateFactory.Create(@delegate);
 
-        var responseMetadata = Assert.IsAssignableFrom<IProducesResponseTypeMetadata>(Assert.Single(result.EndpointMetadata));
+        var responseMetadata = Assert.Single(result.EndpointMetadata.OfType<IProducesResponseTypeMetadata>());
 
         Assert.Equal("text/plain", Assert.Single(responseMetadata.ContentTypes));
         Assert.Equal(typeof(string), responseMetadata.Type);
@@ -2683,6 +2683,7 @@ public void Create_CombinesDefaultMetadata_AndMetadataFromReturnTypesImplementin
 
         // Assert
         Assert.Contains(result.EndpointMetadata, m => m is CustomEndpointMetadata { Source: MetadataSource.Caller });
+        Assert.DoesNotContain(result.EndpointMetadata, m => m is IProducesResponseTypeMetadata);
         // Expecting '1' because only initial metadata will be in the metadata list when this metadata item is added
         Assert.Contains(result.EndpointMetadata, m => m is MetadataCountMetadata { Count: 1 });
     }
@@ -2705,9 +2706,9 @@ public void Create_CombinesDefaultMetadata_AndMetadataFromTaskWrappedReturnTypes
 
         // Assert
         Assert.Contains(result.EndpointMetadata, m => m is CustomEndpointMetadata { Source: MetadataSource.Caller });
-        Assert.Contains(result.EndpointMetadata, m => m is ProducesResponseTypeMetadata { Type: { } type } && type == typeof(CountsDefaultEndpointMetadataResult));
-        // Expecting the custom metadata and the implicit metadata associated with a Task-based return type to be inserted
-        Assert.Contains(result.EndpointMetadata, m => m is MetadataCountMetadata { Count: 2 });
+        Assert.DoesNotContain(result.EndpointMetadata, m => m is IProducesResponseTypeMetadata);
+        // Expecting '1' because only initial metadata will be in the metadata list when this metadata item is added
+        Assert.Contains(result.EndpointMetadata, m => m is MetadataCountMetadata { Count: 1 });
     }
 
     [Fact]
@@ -2728,9 +2729,9 @@ public void Create_CombinesDefaultMetadata_AndMetadataFromValueTaskWrappedReturn
 
         // Assert
         Assert.Contains(result.EndpointMetadata, m => m is CustomEndpointMetadata { Source: MetadataSource.Caller });
-        Assert.Contains(result.EndpointMetadata, m => m is ProducesResponseTypeMetadata { Type: { } type } && type == typeof(CountsDefaultEndpointMetadataResult));
-        // Expecting the custom metadata nad hte implicit metadata associated with a Task-based return type to be inserted
-        Assert.Contains(result.EndpointMetadata, m => m is MetadataCountMetadata { Count: 2 });
+        Assert.DoesNotContain(result.EndpointMetadata, m => m is IProducesResponseTypeMetadata);
+        // Expecting '1' because only initial metadata will be in the metadata list when this metadata item is added
+        Assert.Contains(result.EndpointMetadata, m => m is MetadataCountMetadata { Count: 1 });
     }
 
     [Fact]
@@ -2751,9 +2752,9 @@ public void Create_CombinesDefaultMetadata_AndMetadataFromFSharpAsyncWrappedRetu
 
         // Assert
         Assert.Contains(result.EndpointMetadata, m => m is CustomEndpointMetadata { Source: MetadataSource.Caller });
-        Assert.Contains(result.EndpointMetadata, m => m is IProducesResponseTypeMetadata { Type: { } type } && type == typeof(CountsDefaultEndpointMetadataResult));
+        Assert.DoesNotContain(result.EndpointMetadata, m => m is IProducesResponseTypeMetadata);
         // Expecting '1' because only initial metadata will be in the metadata list when this metadata item is added
-        Assert.Contains(result.EndpointMetadata, m => m is MetadataCountMetadata { Count: 2 });
+        Assert.Contains(result.EndpointMetadata, m => m is MetadataCountMetadata { Count: 1 });
     }
 
     [Fact]
@@ -2824,14 +2825,16 @@ public void Create_CombinesAllMetadata_InCorrectOrder()
             m => Assert.True(m is AcceptsMetadata am && am.RequestType == typeof(AddsCustomParameterMetadata)),
             // Inferred ParameterBinding metadata
             m => Assert.True(m is IParameterBindingMetadata { Name: "param1" }),
-            // Inferred ProducesResopnseTypeMetadata from RDF for complex type
+            // Inferred IApiEndpointMetadata from RDF for complex request and response type
+            m => Assert.True(m is IApiEndpointMetadata),
+            // Inferred ProducesResponseTypeMetadata from RDF for complex type
             m => Assert.Equal(typeof(CountsDefaultEndpointMetadataPoco), ((IProducesResponseTypeMetadata)m).Type),
             // Metadata provided by parameters implementing IEndpointParameterMetadataProvider
             m => Assert.True(m is ParameterNameMetadata { Name: "param1" }),
             // Metadata provided by parameters implementing IEndpointMetadataProvider
             m => Assert.True(m is CustomEndpointMetadata { Source: MetadataSource.Parameter }),
             // Metadata provided by return type implementing IEndpointMetadataProvider
-            m => Assert.True(m is MetadataCountMetadata { Count: 6 }));
+            m => Assert.True(m is MetadataCountMetadata { Count: 7 }));
     }
 
     [Fact]

src/Http/Http.Extensions/test/RequestDelegateGenerator/Baselines/HandlesEndpointsWithAndWithoutDiagnostics.generated.txt

@@ -225,6 +225,22 @@ namespace Microsoft.AspNetCore.Http.Generated
 
     }
 
+    file sealed class ApiEndpointMetadata : IApiEndpointMetadata
+    {
+        public static readonly ApiEndpointMetadata Instance = new();
+
+        private ApiEndpointMetadata()
+        {
+        }
+
+        public static void AddApiEndpointMetadataIfMissing(EndpointBuilder builder)
+        {
+            if (!builder.Metadata.Any(m => m is IApiEndpointMetadata))
+            {
+                builder.Metadata.Add(Instance);
+            }
+        }
+    }
     %GENERATEDCODEATTRIBUTE%
     file static class GeneratedMetadataConstants
     {