I know I ran across a post at some point, but I can't seem to find anything. It seems that by default, ServiceStack allows access to /auth via GET or POST. GET is not something we want in production.
I need to turn off GET access to /auth. Any ideas?
You can use the AuthenticateServices custom ValidateFn to add your own custom validation, e.g:
AuthenticateService.ValidateFn = (authService, verb, requestDto) => {
if (verb == HttpMethods.Get)
throw new NotSupportedException("GET's not allowed");
};
Otherwise you can add your own Restricting Services Attributes on services you don't own by using the fluent API for dynamically adding attributes, e.g:
typeof(Authenticate)
.AddAttributes(new RestrictAttribute(RequestAttributes.HttpPost));