Fix SWA linked backend silently re-enabling Easy Auth on API App Service (#249)

xenobiasoft · web-flow · commit 43a5ffd8eb1a · 2026-04-29T07:43:34.000-06:00
diff --git a/infra/main.bicep b/infra/main.bicep
@@ -176,6 +176,7 @@ module staticwebapp 'modules/staticwebapp.bicep' = {
     customDomainName: swaCustomDomainName
     enableCustomDomain: enableSwaCustomDomain
     apiAppResourceId: compute.outputs.apiAppId
+    apiAppName: apiAppName
   }
 }
 
diff --git a/infra/modules/staticwebapp.bicep b/infra/modules/staticwebapp.bicep
@@ -11,6 +11,9 @@ param enableCustomDomain bool = false
 @description('Resource ID of the API App Service to link as a backend. SWA will proxy /api/* requests to it.')
 param apiAppResourceId string
 
+@description('Name of the API App Service. Used to reset Easy Auth after SWA linking re-enables it.')
+param apiAppName string
+
 var tags = {
   environment: environment
   project: 'XenobiaSoftSudoku'
@@ -36,6 +39,27 @@ resource staticWebAppLinkedBackend 'Microsoft.Web/staticSites/linkedBackends@202
   }
 }
 
+// SWA's linkedBackend creation automatically re-enables Easy Auth on the API App Service
+// and configures it to only accept SWA-issued tokens. Reset it here (after linking) so
+// direct callers (e.g. the Blazor App Service) are not blocked by the injected auth layer.
+resource existingApiApp 'Microsoft.Web/sites@2023-12-01' existing = {
+  name: apiAppName
+}
+
+resource apiAuthDisabledAfterLinking 'Microsoft.Web/sites/config@2023-12-01' = {
+  parent: existingApiApp
+  name: 'authsettingsV2'
+  dependsOn: [staticWebAppLinkedBackend]
+  properties: {
+    globalValidation: {
+      requireAuthentication: false
+    }
+    platform: {
+      enabled: false
+    }
+  }
+}
+
 // Binds the custom domain to the SWA production environment.
 // Azure SWA automatically provisions a free managed SSL certificate —
 // no separate cert or SSL module required.
diff --git a/src/frontend/Sudoku.React/public/staticwebapp.config.json b/src/frontend/Sudoku.React/public/staticwebapp.config.json
@@ -1,4 +1,10 @@
 {
+  "routes": [
+    {
+      "route": "/api/*",
+      "allowedRoles": ["anonymous"]
+    }
+  ],
   "navigationFallback": {
     "rewrite": "/index.html",
     "exclude": ["/images/*", "/css/*", "/js/*", "*.{png,jpg,svg,ico,json,woff,woff2,ttf,eot}", "/api/*"]

Original file line number	Diff line number	Diff line change
`@@ -176,6 +176,7 @@ module staticwebapp 'modules/staticwebapp.bicep' = {`
`176`	`176`	`customDomainName: swaCustomDomainName`
`177`	`177`	`enableCustomDomain: enableSwaCustomDomain`
`178`	`178`	`apiAppResourceId: compute.outputs.apiAppId`
	`179`	`+ apiAppName: apiAppName`
`179`	`180`	`}`
`180`	`181`	`}`
`181`	`182`