Reputation: 91
What goes through my .NET core middleware pipeline
So I have a middleware implemented that blocks requests based on Basic Auth in the header at the moment. And I'm then using Selenium to open a browser window with the application. Here I thought I would need to implement some simple cookie handling to be able to click around on the website through some links. So far though it's working without any cookies. It feels like some very basic network traffic rules going on here that it keeps sending the same headers. But I can't help but wonder when this will come back to haunt me, will it keep working as long as I stay on the same domain, or will it break during some scenarios?
Configure method:
public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
else
{
app.UseExceptionHandler("/Error");
// The default HSTS value is 30 days. You may want to change this for production scenarios, see https://aka.ms/aspnetcore-hsts.
app.UseHsts();
}
app.UseHttpsRedirection();
app.UseStaticFiles();
app.UseRouting();
//app.UseAuthentication();
//app.UseAuthorization();
app.UseMiddleware<BasicAuthMiddleware>();
app.UseBrowserLink();
app.UseEndpoints(endpoints =>
{
endpoints.MapControllers();
endpoints.MapBlazorHub();
endpoints.MapFallbackToPage("/_Host");
});
}
And the middleware:
public async Task InvokeAsync(HttpContext context, ILogger<SimpleAuthMiddleware> logger)
{
bool auth = false;
string username;
try
{
var authHeader = AuthenticationHeaderValue.Parse(context.Request.Headers["Authorization"]);
logger.LogInformation("AuthHeader: " + authHeader);
var credentialBytes = Convert.FromBase64String(authHeader.Parameter);
var credentials = Encoding.UTF8.GetString(credentialBytes).Split(new[] { ':' }, 2);
username = credentials[0];
var password = credentials[1];
logger.LogInformation("Found username & password: " + username + ":" + password);
if (username == "testname" && password == "testpass")
{
auth = true;
}
}
catch (Exception)
{
}
if (auth)
{
logger.LogInformation("Auth Passed");
await _next(context);
}
else
{
logger.LogInformation("Auth Failed");
context.Response.StatusCode = (int) HttpStatusCode.Unauthorized;
return;
}
}
Upvotes: 0
Views: 364
Answers (1)
Reputation: 1670
I'm pretty sure that this won't come back to haunt you, cause according to your code, I saw you have disable both app.UseAuthentication(); and app.UseAuthorization();, and use your custom authentication (which is not actually Authentication cause it not set User info that represent and stick with the HttpRequest, it just allow the request to pass through) middleware. Which, again, not validate the user by cookie, but on the header.
So... even if the cookie is there, that won't matter anyway, cause you're not using it since the first place.
Upvotes: 1
Related Questions
- Configuring options for middleware
- Why are Middleware Components Called Twice in a .Net Core Pipeline?
- Programmatically invoking the ASP.NET Core request pipeline
- Passing through middleware is not reaching the last pipeline
- Why does ASP.NET Core return a 404 at the end of the Middleware Pipeline?
- When exactly is HttpResponse being sent to the client in .net core API middleware pipeline?
- How are middlewares executed in ASP.NET Core
- ASP.NET Core Middleware
- ASP.Net Core 1.1 MiddleWare response
- Response pipeline