CODEWITHSUNDEEP
c#cookiesasp.net-coreasp.net-core-mvcasp.net-core-1.0
steamrolla
steamrolla

Reputation: 2491

asp.net core w/ cookie middleware - accessing request data on authorization

This question is essentially the same as the one here, but, for asp.net core while using the asp.net core cookie middleware.

Is accessing query string/request body data possible on validation, and if it is, would you encourage the idea? It seems that according to this that it is very much possible, however, are the same rules in play from big boy asp.net (such as you are only to read the request data once in a given requests lifetime)?

Example: I'm creating an app where people have one account, but, are members of different teams. They can perform many different actions in the app, and, they can perform that action while in the "context" of one team or another that they are a member of. So, I have a teamId integer being passed in requests made to the server. I'd like to pull claims off the ClaimsPrincipal verifying that they really are a member of that team in the authorization portion of the pipeline.

Upvotes: 2

Views: 2994

Answers (1)

adem caglin
adem caglin

Reputation: 24123

As you said it is possible to access request's data on OnValidatePrincipal event. So, you can write something like this:

OnValidatePrincipal = async (context) =>
{
      if (context.Request.Path.Value.StartsWith("/teams/")) 
      {
          var teamId = // get team id from Path;

          if (user is not team member)
          {
              context.Response.StatusCode = 403;
          }
      }
}

However, i think your requirement is related Authorization rather than Authentication. I would use Policy-Based Authorization to handle the requirement. Example policy should be like this:

Requirement and Handler:

public class TeamMemberHandler: AuthorizationHandler<TeamMemberRequirement>
{
    private readonly IActionContextAccessor _accessor; // for getting teamId from RouteData
    public TeamMemberHandler(IActionContextAccessor accessor)
    {
        _accessor = accessor;
    }
    protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, TeamMemberRequirement requirement)
    {
        var teamId = // get teamId with using _accessor
        if (user is not member of team(by teamId))
        {
            context.Fail();
        }
        return Task.FromResult(0);
    }
}
public class TeamMemberRequirement : IAuthorizationRequirement
{
}

Configure Services:

public void ConfigureServices(IServiceCollection services)
{
    services.AddMvc();
    services.AddSingleton<IActionContextAccessor, ActionContextAccessor>();
    services.AddAuthorization(options =>
    {
        options.AddPolicy("TeamMember",
                          policy => policy.Requirements.Add(new TeamMemberRequirement()));
    });

    services.AddSingleton<IAuthorizationHandler, TeamMemberHandler>();
}

Finally use it on top of controller(or if you want, you can add filter globally) 

Authorize[(Policy = "TeamMember")]
public class TeamHomeController : Controller
{
    // Authorize[(Policy = "AnotherPolicy")]
    public IActionResult Index(){}
}

Upvotes: 7

Related Questions