From 201768e71629e321f1c6f5188cf837ed1dbac0b3 Mon Sep 17 00:00:00 2001
From: David Nguyen <david.nguyen@goutezplanb.com>
Date: Wed, 21 Jan 2026 13:07:03 -0500
Subject: [PATCH] Revert AllowAnonymous endpoint propagation

Remove the WithAllowAnonymousIfAttributePresent helper method.
Authorization should be handled by IQueryAuthorizationService and
ICommandAuthorizationService implementations, not by ASP.NET Core
middleware.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 .../EndpointRouteBuilderExtensions.cs         | 22 ++++---------------
 1 file changed, 4 insertions(+), 18 deletions(-)

diff --git a/Svrnty.CQRS.MinimalApi/EndpointRouteBuilderExtensions.cs b/Svrnty.CQRS.MinimalApi/EndpointRouteBuilderExtensions.cs
index 1a6498d..fe5e3f0 100644
--- a/Svrnty.CQRS.MinimalApi/EndpointRouteBuilderExtensions.cs
+++ b/Svrnty.CQRS.MinimalApi/EndpointRouteBuilderExtensions.cs
@@ -83,8 +83,7 @@ public static class EndpointRouteBuilderExtensions
         .Produces(200, queryMeta.QueryResultType)
         .Produces(400)
         .Produces(401)
-        .Produces(403)
-        .WithAllowAnonymousIfAttributePresent(queryMeta.QueryType);
+        .Produces(403);
     }
 
     private static void MapQueryGet(
@@ -147,8 +146,7 @@ public static class EndpointRouteBuilderExtensions
         .Produces(200, queryMeta.QueryResultType)
         .Produces(400)
         .Produces(401)
-        .Produces(403)
-        .WithAllowAnonymousIfAttributePresent(queryMeta.QueryType);
+        .Produces(403);
     }
 
     public static IEndpointRouteBuilder MapSvrntyCommands(this IEndpointRouteBuilder endpoints, string routePrefix = "api/command")
@@ -215,8 +213,7 @@ public static class EndpointRouteBuilderExtensions
         .Produces(200)
         .Produces(400)
         .Produces(401)
-        .Produces(403)
-        .WithAllowAnonymousIfAttributePresent(commandMeta.CommandType);
+        .Produces(403);
     }
 
     private static void MapCommandWithResult(
@@ -263,17 +260,6 @@ public static class EndpointRouteBuilderExtensions
         .Produces(200, commandMeta.CommandResultType)
         .Produces(400)
         .Produces(401)
-        .Produces(403)
-        .WithAllowAnonymousIfAttributePresent(commandMeta.CommandType);
-    }
-
-    private static RouteHandlerBuilder WithAllowAnonymousIfAttributePresent(this RouteHandlerBuilder builder, Type type)
-    {
-        var allowAnonymousAttribute = type.GetCustomAttribute<Microsoft.AspNetCore.Authorization.AllowAnonymousAttribute>();
-        if (allowAnonymousAttribute != null)
-        {
-            builder.AllowAnonymous();
-        }
-        return builder;
+        .Produces(403);
     }
 }