My ASP.NET Core 6 website has two "areas", Doctors and Patients. Now, if someone is not yet authenticated and tries to access a page in one of those areas, I want to redirect the request to either a Doctors Login or Patients Login depending on the "area" containing the requested page. In other words (for example):
https://example.com/doctors/home redirects to the Doctors Login page
https://example.com/patients/home redirects to the Patients Login page
Is there a "correct" way to set this up, or do I need to come up with some sort of scheme using something like app.UseStatusCodePages (as described in this SO post), or let ASP.NET redirect to a single login page and add code to the GET routine to add yet another redirect based on the request URL, or maybe write some custom pipeline code?
Related
I'm using Angular SPA with IDServer. In SPA application customers can change the culture but I want to change IDServer's culture for the first login. For example, if customers want to continue with French I have to send a parameter in customQueryParams (angular-oauth2-oidc) for their first login. However, I also use EnableRequestCaching in Startup.cs. I would like to get OpenIdDictRequest in Account/Login method.
Thank you!
If I understand your question correctly, your users are redirected from the SPA to the IDServer with a custom query parameter containing the user's culture.
They would land at your authorization endpoint first, before being redirected to Account/Login. In the authorization endpoint you have the OpenIddictRequest at your disposal. You could send the culture from the OpenIddictRequest along with the redirect to Account/Login, through a query parameter or ViewData.
With ASP.Net Core 2.1 Razor Pages, what is the best practice on using LocalRedirect() vs. RedirectToPage()?
It seems they can be used interchangeably when redirecting to a page within the current website. Is there an advantage to one over the other?
LocalRedirect should be used when you're dealing with a "return URL", i.e. you're passing around a URL that the user should be redirected back to after some process is complete, such as logging in. In such cases, a malicious actor could send a user to your login form, for example, with a return URL back to a malicious site. Using LocalRedirect ensures that the "return URL" is a route actually on your site, instead of some malicious third-party bad actor's.
All the other redirect result types can be used when you are directly controlling where the user is being redirected to.
I want to add a page to my Umbraco website that only users who are logged into the Umbraco back end will be able to access, but I haven't been able to figure out how Umbraco does it's authentication.
All that I've been able to figure out from debugging is that after I log in to Umbraco, I check HttpContext.Current.User.Identity.IsAuthenticated, it's false, so it's not doing authentication that way.
Does anyone know where I'd find the code where Umbraco does it's authentication checks and sends users back to the login screen if they're not logged in? I need to hook in to this and extend it to my new page.
ANSWER
Check umbraco.BusinessLogic.User.GetCurrent() to get the user currently logged in to the Umbraco back end.
Check out Umbraco's Public Access. This is the mechanism Umbraco uses to secure pages. Umbraco uses a separate membership table for Umbraco Users (back-end) and Umbraco Members (front-end), so you'll have to add the users in twice, if you're wanting the Users to access certain pages.
You'll need to create a login page with some login controls on it. You'll also need an "Error page" which is basically the page the user would be sent to if they were not authorized to view the requested page. Morten Bock Sørensen gives a good walk through for how to set this up in a blog post.
Alternatively, you could place the content you wish to secure in a dashboard in the back-end. You could even hook a user control into the dashboard that pulls the content in dynamically from a node.
Found the answer. All you need to do is check umbraco.BusinessLogic.User.GetCurrent() to see if the user is logged in to the Umbraco back end.
In my application I allow users to connect their Facebook accounts via oauth for the purpose of posting via our interface. We support both page accounts and regular accounts that simply manage pages.
We also inspect the result of the opengraph API call to get a valid URL to their profile, or page. The primary endpoint we use is https://graph.facebook.com/me (with oauth credentials). For some page-only accounts, the returned object has a 'link' value that, when entered into a web browser, 404s.
The bad URLs I have seen fall into two distinct cases:
The URL can be of the form 'www.facebook.com/{page_id}' which 404s on some pages, but not others.
The URL can be of the form 'www.facebook.com/profile.php?id={user_id}' which more often than not 404s.
The only URL format I have seen that works for all accounts is www.facebook.com/profile.php?id={page_id}. In the first case, we detect that the 'link' field isn't of the proper form (using profile.php?id=...), and construct a URL with the proper structure, and it works.
My next heuristic I'm considering adding is to see if the URL is of the proper form....but uses the {user_id} as the id argument to profile.php, and just construct the URL using the {page_id}. Obviously, this is getting ridiculous.
So, is there a good way to know if an account will give back a link that is invalid? Is this a bug in the API? What is the most reliable way to, given a User on the open graph API, to get a working link to their profile/page?
Using 'www.facebook.com/{page_id}' or 'www.facebook.com/profile.php?id={user_id}' will always work - they are both the same. The only reason you'll see a 404 is if the Page has been unpublished / deleted or if the user has deactivated their account.
Is there a way to create a sort of authentication for wordpress which would block unauthorized users from some particular pages and posts but would allow any user to view some pages. I would also like the users of the blog to be able to register and login through facebook-connect, or google accounts. Is this possible.
for the authentication purpose you can use the_content filter and check for the conditions in there...
if you dont want unregistered users to view the post you can check the condition using is_single() and is_user_logged_in() there are other conditional tags like is_page(), is_home(), etc use the following code to check for if a particular template is active http://www.wprecipes.com/how-to-check-if-a-page-template-is-active
you can even selectively allow some users to access a post or page by comparing their user_id's if the are logged in