ASP.NET Core 2 - How to remove scaffolded routes? - asp.net-core

ASP.NET Core 2.x includes some pre-made scaffolded routes, like the login page, settings, etc. I am working on something that only has OAuth login buttons, and no settings. This means that I don't want users to be able to register with an email, and I don't want any settings pages.
I can remove the link to things like the Settings page , however the routes still exist and can be accessed by typing them in. How do I disable these routes so they are completely inaccessible?
Basically everything under the /Identity/Account/* route, except for the login page should not be available.

What you're referring to is the default Identity UI. It's included whenever you register Identity with services.AddDefaultIdentity or explicitly call AddDefaultUI when registering via the other IServiceCollection extensions (AddIdentity/AddIdentityCore). You cannot pick or choose what will or will not be included in the default UI, so if you don't want a part of it, then you cannot use it at all. Therefore, change the services.AddDefaultIdentity line to services.AddIdentity instead.
Once that's complete, you can use the Identity scaffold to include certain parts of the default UI in your application. Right click on your project and choose Add > New Scaffolded Item.... Then pick Identity on the left, and OK to use the only Identity scaffold available. On the resulting window, you can check the pages you want to include, and then click OK again.

For disabling the specific route for Razor Page, you could try IAsyncPageFilter.
public class DisableIdentityAsyncPageFilter : IAsyncPageFilter
{
public DisableIdentityAsyncPageFilter()
{
}
public async Task OnPageHandlerSelectionAsync(
PageHandlerSelectedContext context)
{
await Task.CompletedTask;
}
public async Task OnPageHandlerExecutionAsync(
PageHandlerExecutingContext context,
PageHandlerExecutionDelegate next)
{
if (context.HttpContext.Request.Path.StartsWithSegments("/Identity") &&
!context.HttpContext.Request.Path.StartsWithSegments("/Identity/Account/Login"))
{
context.Result = new StatusCodeResult(404);
}
else
{
await next.Invoke();
}
}
}
And then configure in Startup.cs
services.AddMvc(options => {
options.Filters.Add(typeof(DisableIdentityAsyncPageFilter));
}).SetCompatibilityVersion(CompatibilityVersion.Version_2_2);

Related

How to protect multiple routes from unauthorized access in Next.js using next-auth

I am using Next.js and I have a folder learning inside my pages folder. Now, this learning folder has about 10 pages.
All these pages need to redirect to the index page if the user is not logged in. The following code does the job, but is there any other way to protect multiple pages, so that I don't need to add this same code again and again to all the pages ?
export async function getServerSideProps(context) {
//redirect to index page if not logged in
const session = await unstable_getServerSession(context.req, context.res, authOptions);
if (!session) {
return {
redirect: {
destination: '/',
permanent: false
}
}
}
}
I believe you are confused between protecting pages and protecting API ROUTES.
If you simply want to protect pages, you can indeed use middleware
However, if you wish to protect API Routes (e.g prevent a user from deleting data using your API endpoint and postman), I believe you need to use this unstable_getServerSession
Except creating reusable function, it's true that I didn't find anywhere in the doc how to set it for multiple paths in one folder only...
you can use middleware. docs: https://next-auth.js.org/configuration/nextjs#middleware
Create a middleware.ts (or .js) file at the root or in the src directory (same level as your pages).
If you only want to secure certain pages, export a config object with a matcher:
export { default } from "next-auth/middleware"
// otherwise your app would require authentication for all
export const config = { matcher: ["/dashboard"] }
Now you will still be able to visit every page, but only /dashboard
will require authentication.
If a user is not logged in, the default behavior is to redirect them
to the sign-in page.
that example is from the docs. You can also write a custom middleware
import { NextResponse } from "next/server";
export function middleware(req) {
const sessionCookie = req.cookies.get("session");
}
// you could add more if logic for other pages
if (req.nextUrl.pathname.startsWith("/admin ")) {
if (!sessionCookie) {
return NextResponse.redirect("/home");
}
}

How to use UseExceptionHandler in the mvc startup without redirecting the user?

I have a ASP.NET Core 2.1 MVC application, and I'm trying to return a separate html view when an exception occurs. The reason for this is that if there are errors, we don't want google to register the redirects to the error page for our SEO (I've omitted development settings to clear things up).
Our startup contained this:
app.UseExceptionHandler("/Error/500"); // this caused a redirect because some of our middleware.
app.UseStatusCodePagesWithReExecute("/error/{0}");
But we want to prevent a redirect, so we need to change the UseExceptionHandler.
I've tried to use the answer from this question like below:
app.UseExceptionHandler(
options =>
{
options.Run(
async context =>
{
context.Response.StatusCode = (int)HttpStatusCode.InternalServerError;
context.Response.ContentType = "text/html";
await context.Response.WriteAsync("sumtin wrong").ConfigureAwait(false);
});
});
But this gives a very ugly page without any styling. Another solution we've tried to use is creating an error handling middle ware, but there we run into the same problem there where we can't add a view.
How can I return a styled view in case of an exception, without redirecting the user?
EDIT: the UseExceptionHandler doesn't cause a redirect, it was caused by a bug in some of our middleware.
How can I return a styled view in case of an exception, without redirecting the user?
You're almost there. You could rewrite(instead of redirect) the path, and then serve a HTML according to current path.
Let's say you have a well-styled sth-wrong.html page in your wwwroot/ folder. Change the code as below:
app.UseExceptionHandler(appBuilder=>
{
// override the current Path
appBuilder.Use(async (ctx, next)=>{
ctx.Request.Path = "/sth-wrong.html";
await next();
});
// let the staticFiles middleware to serve the sth-wrong.html
appBuilder.UseStaticFiles();
});
[Edit] :
Is there anyway where I can make use of my main page layout?
Yes. But because a page layout is a View Feature that belongs to MVC, you can enable another MVC branch here
First create a Controllers/ErrorController.cs file :
public class ErrorController: Controller
{
public IActionResult Index() => View();
}
and a related Views/Error/Index.cshtml file:
Ouch....Something bad happens........
Add a MVC branch in middleware pipeline:
app.UseExceptionHandler(appBuilder=>
{
appBuilder.Use(async (ctx, next)=>{
ctx.Request.Path = "/Error/Index";
await next();
});
appBuilder.UseMvc(routes =>{
routes.MapRoute(
name: "sth-wrong",
template: "{controller=Error}/{action=Index}");
});
});
Demo:

Recommend way to make a UI middleware in aspnet core 1

I am trying to make a UI middleware and wanted to know what's the recommended way to go about it.
Should I do a AddMVC again in my middleware and give it a custom route or go by embedding resources.
I tried to make a MVC inside my middleware and I am able to hit the controller with the custom route but not the views in my middleware project. The sample website seems to always only look inside the main MVC views folder.
Let me know if you need more information and I will update the question accordingly.
Try to use embed views. You need to add:
"buildOptions": { "embed": [ "Views/**" ] },
Then you should tell mvc to look inside embed files
services
.AddMvc()
.AddRazorOptions(
o =>
{
o.FileProviders.Add(new EmbeddedFileProvider(yourAssembly, yourAssembly.GetName().Name));
}
);
You alse could try application parts:
AssemblyPart part = new AssemblyPart(yourAssembly);
mvcBuilder.ConfigureApplicationPartManager(manager =>
{
manager.ApplicationParts.Add(part);
});
foreach (var applicationPart in mvcBuilder.PartManager.ApplicationParts)
{
var assemblyPart = applicationPart as AssemblyPart;
if (assemblyPart != null)
{
mvcBuilder.AddRazorOptions(options =>
{
options.FileProviders.Add(new EmbeddedFileProvider(assemblyPart.Assembly, applicationPart.Name));
});
}
}
Hope it helps

Show pages based on authentication roles in Durandal SPA, MVC web app?

what i'm trying to do is lock down certain pages in my durandal(knockoutjs/breezejs) SPA app based on a user's authenticated role (ie, if you're an admin, etc, you should see pages that others shouldn't).
ideally, server code could be used to either output the link or not based on role, but since durandal and SPA apps don't really work that way with server code, i'm at a loss.
i realize this question has been asked in other forms here (i.e. how to use .cshtml (server) pages with Durandal), and this could be an option if perhaps i could get it to work. i have yet to find a very complete example that works for me.
any ideas appreciated!
You can keep your routing information on the server and supply it to the application on initialization.
For example. In the activate method of your shell viewmodel
shell.js
define(['durandal/system', 'plugins/router', 'durandal/app', 'services/datacontext'],
function (system, router, app, datacontext) {
var routeInfo = ko.observable();
var shell = {
activate: activate,
router: router
};
return shell;
//#region Internal Methods
function activate() {
app.title = "Sample App";
return boot();
}
function boot() {
return datacontext.getRouteInformation(routeInfo).then(function() {
return router.map(routeInfo()).buildNavigationModel().mapUnknownRoutes('error', 'Error').activate();
});
}
//#endregion
});
my datacontext.getRouteInformation() gets a json array of route information based on the current users security context and populates the routeInfo observable. that observable is then passed to the map function to create the users valid routes etc.
I know this doesn't fully "lock down" the html files etc, but all of my controllers and actions have authorization attributes on them, so the data is protected.

Refresh MVC view after logging in using Angular

Working with the Breeze Angular SPA template found here, http://www.breezejs.com/samples/breezeangular-template, I'm trying to update a menu that changes after user authenticates.
My example is slightly different from the default template in that I've moved the Login and Register views into modal windows. When the modal closes after a successful login, the menu, which is in the MVC View (and not the Angular View) does not update as a complete page refresh does not occur.
In the SPA template, authentication is required before entering the SPA, then a hard redirect/refresh occurs and the SPA is loaded. In my case, you could be browsing views/pages in the SPA before authenticating.
MVC View Code Snippet (Views/Home/Index.cshtml)
...
<li>
#if (#User.Identity.IsAuthenticated)
{
User Logged In: #User.Identity.Name
}
else
{
User Logged In: Annon
}
</li></ul>
<div ng-app="app">
<div ng-view></div>
</div>
....
I have working the root redirect, after login, the page hard refreshes if json.redirect is set to '/'. However, if its set to the current page, i.e. '#/about', Angular handles the routing and therefore no hard refresh occurs, thus the menu is not updated.
Ajax Login Code Snippet (App/ajaxlogin.js)
... part of login/register function
if (json.success) {
window.location = json.redirect || location.href;
} else if (json.errors) {
displayErrors($form, json.errors);
}
...
Is this possible to do using my current setup? Or do I need to move the menu somewhere inside the SPA and use Angular to determine what menu to show? If the latter, direction in how to best do this? I'm new to both Angular and Breeze.
The TempHire sample in Breeze has a really good way of handling authentication for a SPA (in my opinion at least!) Granted this is using Durandal so you will need to adapt it to Angular, but they are both frameworks doing the same basic principles so good luck! -
Basically, the Controller action has an annotation [Authorize] on the action that the prepare method is calling on the entitymanagerprovider. If a 401 is returned (not authorized) the SPA takes the bootPublic path and only exposes a login route to the user. When the login is successful, the login method tells the window to reload everything, at which time the authorization passes, and the bootPrivate method is called -
shell.js (Durandal, but should be adaptable)
//#region Internal Methods
function activate() {
return entitymanagerprovider
.prepare()
.then(bootPrivate)
.fail(function (e) {
if (e.status === 401) {
return bootPublic();
} else {
shell.handleError(e);
return false;
}
});
}
function bootPrivate() {
router.mapNav('home');
router.mapNav('resourcemgt', 'viewmodels/resourcemgt', 'Resource Management');
//router.mapRoute('resourcemgt/:id', 'viewmodels/resourcemgt', 'Resource Management', false);
log('TempHire Loaded!', null, true);
return router.activate('home');
}
function bootPublic() {
router.mapNav('login');
return router.activate('login');
}
login.js -
function loginUser() {
if (!self.isValid()) return Q.resolve(false);
return account.loginUser(self.username(), self.password())
.then(function() {
window.location = '/';
return true;
})
.fail(self.handleError);
}
The account.loginUser function is basically just an ajax call that passes credentials to the account controller and returns a success or failure. On success you can see the callback is fired for window.location = '/' which does a full reload. On failure simply show an alert or something.