AuthorizedRole issue?

Is there a bug on the authorization part?

A user with role “Admin” is able to call and get results from API set as follow

New-UDEndpoint -Url ‘/whoami’ -AuthorizedRole ‘test’ -Method GET -Endpoint {
return [PSCustomObject]@{
UserName = $user
} | ConvertTo-Json
}

Am I doing something wrong?

Thanks

Sounds like a bug. Can you open an issue for this on GitHub and I’ll look into it today.

It does look like there is a test in place for this scenario that is passing. Can you post more of your REST API or compare it to the below code?

  $AdminEndpoint = New-UDEndpoint -Url "admin" -Method "GET" -endpoint {
            "Admin"
        } -AuthorizedRole "Admin"

        $UserEndpoint = New-UDEndpoint -Url "notAdmin" -Method "GET" -endpoint {
            "User"
        } -AuthorizedRole @("Admin", "User")

        $Server = Start-UDRestApi -Port 10001 -Endpoint @($AdminEndpoint, $UserEndpoint) -AuthenticationMethod (
            New-UDAuthenticationMethod -Issuer "Adam"
        )

        It "should return admin to admin" {
            $Token = Grant-UDJsonWebToken -UserName "adam" -Role "Admin" -Issuer "Adam"
            Invoke-RestMethod http://localhost:10001/api/admin -Headers @{ Authorization = "Bearer $Token" } -ContentType "application/json" | should be "Admin"
        }

        It "should not return admin to user" {
            $Token = Grant-UDJsonWebToken -UserName "adam" -Role "User" -Issuer "Adam"

            try {
                Invoke-RestMethod http://localhost:10001/api/admin -Headers @{ Authorization = "Bearer $Token" } -ContentType "application/json"
                $true | should be $false
            }
            catch {

            }
        }

        It "should return user to user" {
            $Token = Grant-UDJsonWebToken -UserName "adam" -Role "User" -Issuer "Adam"
            Invoke-RestMethod http://localhost:10001/api/notAdmin -Headers @{ Authorization = "Bearer $Token" } -ContentType "application/json" | should be "User"
        }

        It "should return user  to admin" {
            $Token = Grant-UDJsonWebToken -UserName "adam" -Role "Admin" -Issuer "Adam"
            Invoke-RestMethod http://localhost:10001/api/notAdmin -Headers @{ Authorization = "Bearer $Token" } -ContentType "application/json" | should be "User"
        }