Re-run routing for implicit middlewares that require endpoints

src/Antiforgery/src/AntiforgeryApplicationBuilderExtensions.cs

@@ -3,6 +3,8 @@
 
 using Microsoft.AspNetCore.Antiforgery;
 using Microsoft.AspNetCore.Antiforgery.Internal;
+using Microsoft.AspNetCore.Routing;
+using Microsoft.Extensions.DependencyInjection;
 
 namespace Microsoft.AspNetCore.Builder;
 
@@ -24,6 +26,19 @@ public static IApplicationBuilder UseAntiforgery(this IApplicationBuilder builde
         builder.VerifyAntiforgeryServicesAreRegistered();
 
         builder.Properties[AntiforgeryMiddlewareSetKey] = true;
+
+        // The anti-forgery middleware adds annotations to HttpContext.Items to indicate that it has run
+        // that will be validated by the EndpointsRoutingMiddleware later. To do this, we need to ensure
+        // that routing has run and set the endpoint feature on the HttpContext associated with the request.
+        if (builder.Properties.TryGetValue(RerouteHelper.GlobalRouteBuilderKey, out var routeBuilder) && routeBuilder is not null)
+        {
+            return builder.Use(next =>
+            {
+                var newNext = RerouteHelper.Reroute(builder, routeBuilder, next);
+                var antiforgery = builder.ApplicationServices.GetRequiredService<IAntiforgery>();
+                return new AntiforgeryMiddleware(antiforgery, newNext).Invoke;
+            });
+        }
         builder.UseMiddleware<AntiforgeryMiddleware>();
 
         return builder;

src/Antiforgery/src/Microsoft.AspNetCore.Antiforgery.csproj

@@ -26,5 +26,6 @@
 
   <ItemGroup>
     <Compile Include="$(SharedSourceRoot)HttpMethodExtensions.cs" LinkBase="Shared"/>
+    <Compile Include="$(SharedSourceRoot)Reroute.cs" LinkBase="Shared"/>
   </ItemGroup>
 </Project>

src/Http/Http.Extensions/src/RequestDelegateFactory.cs

@@ -2014,12 +2014,18 @@ private static Expression BindComplexParameterFromFormItem(
             FormDataMapperMapMethod.MakeGenericMethod(parameter.ParameterType),
             formReader,
             Expression.Constant(FormDataMapperOptions));
-        // ArrayPool<char>.Shared.Return(form_buffer, false);
+        // if (form_buffer != null)
+        // {
+        //   ArrayPool<char>.Shared.Return(form_buffer, false);
+        // }
         var returnBufferExpr = Expression.Call(
             Expression.Property(null, typeof(ArrayPool<char>).GetProperty(nameof(ArrayPool<char>.Shared))!),
             ArrayPoolSharedReturnMethod,
             formBuffer,
             Expression.Constant(false));
+        var conditionalReturnBufferExpr = Expression.IfThen(
+            Expression.NotEqual(formBuffer, Expression.Constant(null)),
+            returnBufferExpr);
 
         return Expression.Block(
             new[] { formArgument, formReader, formDict, formBuffer },
@@ -2028,7 +2034,7 @@ private static Expression BindComplexParameterFromFormItem(
                     processFormExpr,
                     initializeReaderExpr,
                     Expression.Assign(formArgument, invokeMapMethodExpr)),
-                returnBufferExpr),
+                conditionalReturnBufferExpr),
             formArgument
         );
     }

src/Security/Authentication/Core/src/AuthAppBuilderExtensions.cs

@@ -2,6 +2,8 @@
 // The .NET Foundation licenses this file to you under the MIT license.
 
 using Microsoft.AspNetCore.Authentication;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.AspNetCore.Routing;
 
 namespace Microsoft.AspNetCore.Builder;
 
@@ -22,6 +24,20 @@ public static IApplicationBuilder UseAuthentication(this IApplicationBuilder app
         ArgumentNullException.ThrowIfNull(app);
 
         app.Properties[AuthenticationMiddlewareSetKey] = true;
+
+        // The authentication middleware adds annotation to HttpContext.Items to indicate that it has run
+        // that will be validated by the EndpointsRoutingMiddleware later. To do this, we need to ensure
+        // that routing has run and set the endpoint feature on the HttpContext associated with the request.
+        if (app.Properties.TryGetValue(RerouteHelper.GlobalRouteBuilderKey, out var routeBuilder) && routeBuilder is not null)
+        {
+            return app.Use(next =>
+            {
+                var newNext = RerouteHelper.Reroute(app, routeBuilder, next);
+                var authenticationSchemeProvider = app.ApplicationServices.GetRequiredService<IAuthenticationSchemeProvider>();
+                return new AuthenticationMiddleware(newNext, authenticationSchemeProvider).Invoke;
+            });
+        }
+
         return app.UseMiddleware<AuthenticationMiddleware>();
     }
 }

src/Security/Authentication/Core/src/Microsoft.AspNetCore.Authentication.csproj

@@ -12,6 +12,7 @@
 
   <ItemGroup>
     <Compile Include="$(SharedSourceRoot)SecurityHelper\**\*.cs" />
+    <Compile Include="$(SharedSourceRoot)Reroute.cs" />
   </ItemGroup>
 
   <ItemGroup>

src/Security/Authorization/Policy/src/AuthorizationAppBuilderExtensions.cs

@@ -3,7 +3,9 @@
 
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Authorization.Policy;
+using Microsoft.AspNetCore.Routing;
 using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Logging;
 
 namespace Microsoft.AspNetCore.Builder;
 
@@ -30,6 +32,24 @@ public static IApplicationBuilder UseAuthorization(this IApplicationBuilder app)
         VerifyServicesRegistered(app);
 
         app.Properties[AuthorizationMiddlewareSetKey] = true;
+
+        // The authorization middleware adds annotation to HttpContext.Items to indicate that it has run
+        // that will be validated by the EndpointsRoutingMiddleware later. To do this, we need to ensure
+        // that routing has run and set the endpoint feature on the HttpContext associated with the request.
+        if (app.Properties.TryGetValue(RerouteHelper.GlobalRouteBuilderKey, out var routeBuilder) && routeBuilder is not null)
+        {
+            return app.Use(next =>
+            {
+                var newNext = RerouteHelper.Reroute(app, routeBuilder, next);
+                var authorizationPolicyProvider = app.ApplicationServices.GetRequiredService<IAuthorizationPolicyProvider>();
+                var logger = app.ApplicationServices.GetRequiredService<ILogger<AuthorizationMiddleware>>();
+                return new AuthorizationMiddlewareInternal(newNext,
+                    app.ApplicationServices,
+                    authorizationPolicyProvider,
+                    logger).Invoke;
+            });
+        }
+
         return app.UseMiddleware<AuthorizationMiddlewareInternal>();
     }
 

src/Security/Authorization/Policy/src/Microsoft.AspNetCore.Authorization.Policy.csproj

@@ -13,6 +13,7 @@
   <ItemGroup>
     <Compile Include="$(SharedSourceRoot)SecurityHelper\**\*.cs" />
     <Compile Include="..\..\..\..\Http\Routing\src\DataSourceDependentCache.cs" Link="DataSourceDependentCache.cs" />
+    <Compile Include="$(SharedSourceRoot)Reroute.cs" />
   </ItemGroup>
 
   <ItemGroup>