openwallet-foundation · swcurran · Feb 19, 2024 · Feb 16, 2024 · Feb 16, 2024 · Feb 16, 2024
diff --git a/aries_cloudagent/admin/server.py b/aries_cloudagent/admin/server.py
@@ -299,7 +299,7 @@ def _matches_additional_routes(self, path: str) -> bool:
     async def make_application(self) -> web.Application:
         """Get the aiohttp application instance."""
 
-        middlewares = [ready_middleware, debug_middleware, validation_middleware]
+        middlewares = [ready_middleware, debug_middleware]
 
         # admin-token and admin-token are mutually exclusive and required.
         # This should be enforced during parameter parsing but to be sure,
@@ -453,6 +453,9 @@ async def setup_context(request: web.Request, handler):
 
         middlewares.append(setup_context)
 
+        # Register validation_middleware last avoiding unauthorized validations
+        middlewares.append(validation_middleware)
+
         app = web.Application(
             middlewares=middlewares,
             client_max_size=(