feat(web): stealth-route /cms/* — return 404 to unauthorized callers

Any /cms/* hit (including exact /cms) that fails authorization returns
404 instead of redirecting to /account/login. CMS-PLAN §3.4 constraint.
This commit is contained in:
Daniel Harvey
2026-05-18 21:23:15 -04:00
parent 130f1357ec
commit f4388a5cc3
2 changed files with 41 additions and 0 deletions
+7
View File
@@ -2,6 +2,8 @@ using AuthBlocksLib;
using AuthBlocksLib.Options;
using DeepDrftCms;
using DeepDrftWeb;
using DeepDrftWeb.Middleware;
using Microsoft.AspNetCore.Authorization;
using MudBlazor.Services;
using DeepDrftWeb.Components;
using Microsoft.AspNetCore.HttpOverrides;
@@ -64,6 +66,11 @@ builder.Services.AddAuthBlocks(options =>
};
});
// CMS stealth routing: unauthorized /cms/* requests return 404, not a redirect.
// This prevents the CMS from revealing its own existence to unauthenticated callers.
// See CMS-PLAN §3.4.
builder.Services.AddSingleton<IAuthorizationMiddlewareResultHandler, CmsStealthRoutingHandler>();
// AuthBlocksWeb: Blazor JWT client services (auth API is mounted on this same host via MapAuthBlocks).
// AuthBlocksWeb.Startup.ConfigureAuthServices registers AddCascadingAuthenticationState server-side.
AuthBlocksWeb.Startup.ConfigureAuthServices(builder.Services, baseUrl);