We use Azure App Services to host the reporting engine API.
Azure App Services validate all incoming requests to ensure they come in with valid Bearer JWT tokens. Your suggested workaround of validating the tokens only on some requests in the application would require us to turn off built-in Azure validation, which elevates security risks.
Can you please ensure [authenticationToken] is added to ALL requests from the Angular tr-viewer to the API, not just some requests?
Please redesign the viewer to authenticate all its requests to the backend service. Including but not limited to the requests report viewer makes to download generated report documents as attachments by performing get document requests through window.open() or any other methods.
We appreciate your efforts to obfuscate such requests; however, these efforts need to be in addition and not instead of industry standard security practices.
Thank you very much,
Calpine Energy Solutions