Regarding Blazor Web App (.NET 8) and Migration from .NET 6

Question

A Little Background:

I've developed a Blazor Server Application in .NET 6, because it is a completely Server Side Application, we did not see the need of a Web API powering the Project, and instead we had a Class Library project which used Dapper for all the Data Access Logic and the Blazor Server Project had a reference to this Class Library, using which it performed CRUD Operations.

The Class Library also had logic for Authentication and Authorization using ASP.NET Identity. So effectively all the Business Rules and Logic was written in the Class Library and Blazor Server Project used to refer to this Class Library

So now with Blazor Web App (.NET 8),

If I have a component in InteractiveAuto render mode, in the .Client Project. Does it need an Web API? Because the code gets downloaded to the Client Machine.

If it needs an Web API then can my Server project in Blazor Web App be configured to serve as an API? and how do i Handle the authentication and authorization part of the Web APIs? How can I authenticate my APIs in specific components where the renderMode is InteractiveAuto without asking the User to enter credentials again.

This is an architecture related Question, I've already solved it myself, by just referencing the Class Library in Client Side Project, but I want to know the best and safest way of using InteractiveAuto in a Blazor Web App Project.

Answer 1

We cannot overstate how important this is. You should not expose all of you authentication and database access logic in the client side assemblies.

Web API controllers in the server project or as a separate API deployment if you wish is a good way to encapsulate your IP and secrets to protect your product.

While an exaggeration, it can be helpful to assume that in blazor the client side code is handed over openly to the client. That means to you are not just exposing your keys but you are also handing over the instructions on how to access your database directly to malicious operators.

You might not think this is a problem because you trust your users, but this code is handed over before the user even attempts to authenticate. This means that a bot can access this information and could easily discover how to log in to your database directly.

You are protected to a degree if you are using a 3rd party hosted identity provider like Entra ID but only if the database is also using the same authority to authenticate user access.

You have indicated that neither of these is in place and you are using the standard ASP.Net Identity implementation that is very well documented, this means that the level of effort required to compromise your site will be very low compared to other sites.

You might not think that you would be a target, who would even know to look for your site? But if your sure is already deployed then statistically you are already compromised because malicious bots and webcrawlers have already indexed your site and stored your logic, even if they have not tried to crack it yet. You should change your access keys to the database and consider changing all passwords in your identity database even if they were not stored in a reversible format.

This is a well know exploit of JavaScript client side applications. Blazor makes it even easier to hack than before because the implementations are more standardised than most JavaScript SPA apps.

Answer 2

I suggest writing all API controllers and authentication logic in the server project. Create a models project and reference this in both the client and server projects, so your authentication is not downloaded and only the model's class is downloaded to the client machine."