Restrict POST /configuration endpoint to loopback#3669
Merged
Conversation
The POST /configuration endpoint used in late-configured (hosted) mode now requires the request to originate from a loopback address. An optional bootstrap token (DAB_CONFIG_AUTH_TOKEN env var, X-DAB-CONFIG-AUTH header) can be required as an additional check. Backward compatible: in-process callers (TestServer) and loopback callers without a token continue to work.
souvikghosh04
requested review from
Alekhya-Polavarapu,
Aniruddh25,
JerryNixon,
RubenCerna2079,
aaronburtle,
anushakolan,
rusamant,
sourabh1007,
stuartpa and
vadeveka
as code owners
Contributor
There was a problem hiding this comment.
Pull request overview
This PR hardens the late-bound hosted-mode POST /configuration bootstrap endpoint by restricting access to loopback callers and (optionally) requiring a bootstrap token header, reducing exposure prior to the auth middleware running.
Changes:
- Added
IsConfigurationRequestAuthorized(HttpContext)and enforced it in the/configurationgating middleware (returning403 Forbiddenwhen unauthorized). - Introduced optional bootstrap-token validation via
DAB_CONFIG_AUTH_TOKEN+X-DAB-CONFIG-AUTHusing fixed-time comparison. - Added new test coverage for authorization behavior across loopback/non-loopback and token combinations.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| src/Service/Startup.cs | Adds loopback + optional bootstrap-token authorization gating for POST /configuration. |
| src/Service.Tests/Configuration/ConfigurationEndpointAuthorizationTests.cs | Adds unit + TestServer coverage for the new authorization behavior. |
- Handle ::ffff:127.0.0.1 (dual-stack Kestrel) as loopback by calling MapToIPv4 first - Fix stray quote in IsConfigurationRequestAuthorized XML doc - Add matrix row covering IPv4-mapped IPv6 loopback
…tion Other tests in the assembly (e.g. TestLoadingLocalCosmosSettings) set ASPNETCORE_ENVIRONMENT and DAB_ENVIRONMENT without cleanup. Those env vars caused FileSystemRuntimeConfigLoader to find an environment-specific dab-config.*.json on disk and auto-initialize the runtime, which made POST /configuration return 409 Conflict before the new security middleware was exercised, breaking the EndToEnd matrix in CI. Snapshot and clear ASPNETCORE_ENVIRONMENT and DAB_ENVIRONMENT before creating the TestServer, and restore them in a finally block. Verified locally by setting ASPNETCORE_ENVIRONMENT=CosmosDb_NoSql in the parent shell and rerunning all 22 tests successfully.
anushakolan
reviewed
Jun 16, 2026
anushakolan
left a comment
anushakolan
left a comment
Contributor
There was a problem hiding this comment.
Just a minor comment to address; otherwise LGTM.
It would be helpful to create a tracking task and link it to this PR, along with relevant context. This makes it easier to understand the background and motivations for the change in the future.
anushakolan
approved these changes
Jun 16, 2026
RubenCerna2079
approved these changes
Jun 16, 2026
RubenCerna2079
left a comment
RubenCerna2079
left a comment
Contributor
There was a problem hiding this comment.
LGTM! Approving with the expectation that the comment from Anusha gets resolved.
Addresses two review comments on PR #3669: 1. (anushakolan) Move DAB_CONFIG_AUTH_TOKEN, ASPNETCORE_ENVIRONMENT, and DAB_ENVIRONMENT snapshot/restore into TestInitialize/TestCleanup so any pre-existing values are preserved verbatim. Previously TestCleanup reset DAB_CONFIG_AUTH_TOKEN to null which could perturb other tests. 2. (RubenCerna2079) Add explicit unit-test matrix rows for private/public IPv4 with correct token, wrong token, and missing header so the 'non-loopback is always denied regardless of token' contract is regression-locked. Matrix grows from 14 to 18 rows; total tests 22 -> 26. Verified locally by setting both ASPNETCORE_ENVIRONMENT=CosmosDb_NoSql and DAB_CONFIG_AUTH_TOKEN=preexisting-value in the parent shell: all 26 tests pass and both env vars retain their original values after the run.
RubenCerna2079
approved these changes
Jun 17, 2026
github-project-automation
Bot
moved this from Review In Progress
to Done
in Data API builder
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Restrict the late-configured
POST /configurationendpoint so it is only callable from the loopback interface, with an optional bootstrap-token check on top.Why
POST /configurationis used in hosted mode (e.g. Azure Static Web Apps) to deliver the runtime config — including the database connection string — to an uninitialized DAB instance. It currently runs before the authentication middleware and has no other access control, which is more permissive than required for what is effectively a host-to-runtime bootstrap channel.Change
In
src/Service/Startup.cs, the existing middleware that gatesPOST /configurationnow also checksIsConfigurationRequestAuthorized(HttpContext)and returns403 Forbiddenif it fails. The check enforces:RemoteIpAddress(in-process callers such asTestServer) is treated as loopback.DAB_CONFIG_AUTH_TOKENenvironment variable is set, the request must include a matchingX-DAB-CONFIG-AUTHheader (fixed-time comparison).The rest of the middleware ordering is unchanged.
Backward compatibility
TestServertests keep working unchanged.Tests