I'm a full-stack developer with over 7 years of experience. Self-motivated and driven, dedicated to perfecting my craft. I build web apps and I have a passion for cross-platform and Flutter.
This only works with cookie authentication. If you have another scheme, say JWT, authorization using the OnPrepareResponse hook won't work. It's also important to note that it's a bad practice to store sensitive data under wwwroot. if you want to secure files, say uploaded attachments, they should be stored outside of the webroot directory and delegated to a controller method.
In the first place, HttpContext.User.Identity does not depend on any kind of authorization scheme.
The role of authenticating user and building HttpContext.User.Identity is Authentication middleware.
What I did is just referenced the HttpContext.User.Identity that is a result of Authentication middleware's work.
It's also important to note that it's a bad practice to store sensitive data under wwwroot.
Yes, we have to consider well about this point.
However, I can't agree with all of your opinions, at this time.
Essentially and ultimately, there is no difference between StaticFiles middleware and custom controller method (that you said) on the side that both of them respond to static files to a user agent.
A few years ago, I have saw the custom controller that respond static files to user agents had a "directory traversal" security hole.
And also, I have heard another story that the custom controller stored uploaded file to AmazonS3 but the endpoint of AmazonS3 bucket was allowed public access due to configuration mistake.
These stories tell me that protecting static content is not simple.
Therefore, I could not agree with the simple judgment that storing some secret static files under the wwwroot folder is bad practice.
After days I may change my opinion to the same as your opinion, but it is not now, yet.
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
This only works with cookie authentication. If you have another scheme, say JWT, authorization using the OnPrepareResponse hook won't work. It's also important to note that it's a bad practice to store sensitive data under wwwroot. if you want to secure files, say uploaded attachments, they should be stored outside of the webroot directory and delegated to a controller method.
Doubt.
Did you try it?
I tried access token-based authentication scenario, and it works fine as expected.
You can get the project file that I tried from the link below.
In the first place,
HttpContext.User.Identity
does not depend on any kind of authorization scheme.The role of authenticating user and building
HttpContext.User.Identity
isAuthentication
middleware.What I did is just referenced the
HttpContext.User.Identity
that is a result ofAuthentication
middleware's work.Yes, we have to consider well about this point.
However, I can't agree with all of your opinions, at this time.
Essentially and ultimately, there is no difference between
StaticFiles
middleware and custom controller method (that you said) on the side that both of them respond to static files to a user agent.A few years ago, I have saw the custom controller that respond static files to user agents had a "directory traversal" security hole.
And also, I have heard another story that the custom controller stored uploaded file to AmazonS3 but the endpoint of AmazonS3 bucket was allowed public access due to configuration mistake.
These stories tell me that protecting static content is not simple.
Therefore, I could not agree with the simple judgment that storing some secret static files under the wwwroot folder is bad practice.
After days I may change my opinion to the same as your opinion, but it is not now, yet.