From 0bae83165efa50baf109562437c1c2d8e928d976 Mon Sep 17 00:00:00 2001
From: jennyf19 <jeferrie@microsoft.com>
Date: Fri, 26 Feb 2021 19:34:54 -0800
Subject: [PATCH] remove scope attribute from the templates for azure function
 (#1030)

---
 .../templates/Functions-CSharp/SampleFunc.cs        | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/ProjectTemplates/templates/Functions-CSharp/SampleFunc.cs b/ProjectTemplates/templates/Functions-CSharp/SampleFunc.cs
index 9ff86b840..984240c48 100644
--- a/ProjectTemplates/templates/Functions-CSharp/SampleFunc.cs
+++ b/ProjectTemplates/templates/Functions-CSharp/SampleFunc.cs
@@ -20,6 +20,10 @@ namespace Company.FunctionApp1
     public class SampleFunc
     {
         private readonly ILogger<SampleFunc> _logger;
+#if (!NoAuth)
+        // The web API will only accept tokens 1) for users, and 2) having the "api-scope" scope for this API	
+        static readonly string[] scopeRequiredByApi = new string[] { "access_as_user" };
+#endif
 #if (GenerateApi)
         private readonly IDownstreamWebApi _downstreamWebApi;
 
@@ -31,7 +35,6 @@ public SampleFunc(ILogger<SampleFunc> logger,
         }
 
         [FunctionName("SampleFunc")]
-        [RequiredScope("access_as_user")] // The Azure Function will only accept tokens 1) for users, and 2) having the "access_as_user" scope for this API
         public async Task<IActionResult> Run(
             [HttpTrigger(AuthorizationLevel.Anonymous, "get", "post", Route = null)] HttpRequest req)
         {
@@ -41,6 +44,8 @@ public async Task<IActionResult> Run(
                 await req.HttpContext.AuthenticateAzureFunctionAsync();
             if (!authenticationStatus) return authenticationResponse;
 
+            req.HttpContext.VerifyUserHasAnyAcceptedScope(scopeRequiredByApi);
+
             using var response = await _downstreamWebApi.CallWebApiForUserAsync("DownstreamApi").ConfigureAwait(false);
 
             if (response.StatusCode == System.Net.HttpStatusCode.OK)
@@ -74,7 +79,6 @@ public SampleFunc(ILogger<SampleFunc> logger,
         }
 
         [FunctionName("SampleFunc")]
-        [RequiredScope("access_as_user")] // The Azure Function will only accept tokens 1) for users, and 2) having the "access_as_user" scope for this API
         public async Task<IActionResult> Run(
             [HttpTrigger(AuthorizationLevel.Anonymous, "get", "post", Route = null)] HttpRequest req)
         {
@@ -84,6 +88,8 @@ public async Task<IActionResult> Run(
                 await req.HttpContext.AuthenticateAzureFunctionAsync();
             if (!authenticationStatus) return authenticationResponse;
 
+            req.HttpContext.VerifyUserHasAnyAcceptedScope(scopeRequiredByApi);
+
             var user = await _graphServiceClient.Me.Request().GetAsync();
 
             string responseMessage = string.IsNullOrEmpty(user.DisplayName)
@@ -100,7 +106,6 @@ public SampleFunc(ILogger<SampleFunc> logger)
         }
 
         [FunctionName("SampleFunc")]
-        [RequiredScope("access_as_user")] // The Azure Function will only accept tokens 1) for users, and 2) having the "access_as_user" scope for this API
         public async Task<IActionResult> Run(
             [HttpTrigger(AuthorizationLevel.Anonymous, "get", "post", Route = null)] HttpRequest req)
         {
@@ -110,6 +115,8 @@ public async Task<IActionResult> Run(
                 await req.HttpContext.AuthenticateAzureFunctionAsync();
             if (!authenticationStatus) return authenticationResponse;
 
+            req.HttpContext.VerifyUserHasAnyAcceptedScope(scopeRequiredByApi);
+
             string name = req.HttpContext.User.Identity.IsAuthenticated ? req.HttpContext.User.GetDisplayName() : null;
 
             string responseMessage = string.IsNullOrEmpty(name)