From 333a0cf73469b41ffbd93642b1465afa98699215 Mon Sep 17 00:00:00 2001 From: cryptooda Date: Sat, 8 Nov 2025 02:33:39 +0700 Subject: [PATCH] Fix jwt handling --- src/Managing.Api/Program.cs | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/src/Managing.Api/Program.cs b/src/Managing.Api/Program.cs index 6627cc92..376ed5e2 100644 --- a/src/Managing.Api/Program.cs +++ b/src/Managing.Api/Program.cs @@ -263,6 +263,31 @@ builder.Services { OnMessageReceived = context => { + // Skip token extraction for anonymous endpoints to avoid validation errors + var path = context.Request.Path.Value?.ToLower(); + if (path != null && (path.EndsWith("/create-token") || path.EndsWith("/authenticate"))) + { + // Clear any token to prevent validation on anonymous endpoints + context.Token = null; + return Task.CompletedTask; + } + + // Handle tokens sent without "Bearer " prefix for authenticated endpoints + // The standard middleware expects "Bearer " but some clients send just the token + if (string.IsNullOrEmpty(context.Token)) + { + var authHeader = context.Request.Headers["Authorization"].FirstOrDefault(); + if (!string.IsNullOrEmpty(authHeader)) + { + // If header doesn't start with "Bearer ", treat the entire value as the token + if (!authHeader.StartsWith("Bearer ", StringComparison.OrdinalIgnoreCase)) + { + context.Token = authHeader; + } + // Otherwise, let the default middleware extract it (it will strip "Bearer " automatically) + } + } + // If you want to get the token from a custom header or query string // var accessToken = context.Request.Query["access_token"]; // if (!string.IsNullOrEmpty(accessToken) &&