DEV Community: Carlos Jimenez

Resource Based Authorization using Razor Pages - PART 2

Carlos Jimenez — Sun, 29 Dec 2019 00:00:00 +0000

In part 1 of Requiring Authorization to Access your Web Application's Resources, we covered how to ensure your users were members of the administrator role to be able to complete specific actions. If you missed it or would like to refresh your memory please check it out here. In part 2, we are going to look on how to expand this capability. Previously, we stated that we had two requirements regarding authorization.

Those requirements were as follows:

Users can only create new debtors with an administrator role.
Users can only make changes to an existing debtor if they are the creator of the debtor entity.

Using the same application from part 1, we are going to create a custom authorization requirement and authorization handler. This will allow us to complete our second requirement of making sure only the user who created a debtor is able to make modifications to it. The code of this application can be found on my Github.

Creating the Authorization Policies

Before we can enforce this requirement, we will need to create the necessary authorization requirement and handler. The requirement in this case is used to map our application configuration and authorization handler. It is a basic class that just implements an interface, "IAuthorizationRequirement". We will call it the "SameDebtorOwnerRequirment" to help reflect its purpose.

 public class SameDebtorOwnerRequirment : IAuthorizationRequirement
 {
 }

The actual logic that will handle the authorization requirements will be defined in our handler. The handler extends the base class "AuthorizationHandler". Here we will map our requirement, the "SameDebtorOwnerRequirement" to the resource we are going to protect, the Debtor. We will implement most of our logic in the HandleRequirmentAsync method that we will need to override.

Our logic will consist of getting the user id of the signed-in user and making sure that it matches the id of the owner stored on the debtor resource.

 public class DebtorAuthorizationHandler : AuthorizationHandler<SameDebtorOwnerRequirment, Debtor>
{
        private readonly UserManager<IdentityUser> _userManager;

        public DebtorAuthorizationHandler(UserManager<IdentityUser> userManager) => _userManager = userManager;

        protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, SameDebtorOwnerRequirment requirement, Debtor resource)
        {
            string userID = _userManager.GetUserId(context.User);
            if (userID != null && resource != null)
            {
                if ((userID == resource.OwnerID) && context.User.IsInRole(ApplicationRoles.Administrator.ToString()))
                {
                    context.Succeed(requirement);
                }
            }
            return Task.CompletedTask;
        }
}

If the authorization check passes, then a success is recorded in the web application context and returned. If not, then the task is returned as complete, but the context is not modified. This is because you may have multiple requirements defined in your application, and they will not run if you sent a failure in the context instead. This allows you to create multiple requirements to account for multiple scenarios. If you would like to see an example of why you would want to do this, please check out Microsoft's example using .Net Core.

Storing the resource creator in the Debtor model

Our next step in the process is to make sure that we store the id of the current user in our Debtor model, as this is necessary for our authorization requirement. We will add a "String" property to our Debtor model to store the User's id as "OwnerID". We will then make sure to store this information whenever a new Debtor is created.

Debtor class:

  public class Debtor
  {
        public int DebtorID { get; set; }
        [RegularExpression(@"^[A-Z]+[a-zA-Z""'\s-]*$")]
        [Required]
        public string FirstName { get; set; }
        [RegularExpression(@"^[A-Z]+[a-zA-Z""'\s-]*$")]
        [Required]
        public string LastName { get; set; }
        [DataType(DataType.EmailAddress)]
        [Required]
        public string Email { get; set; }
        [Iban]
        public string IBAN { get; set; }
        public string OwnerID { get; set; }
        public virtual ICollection<Invoice> Invoices { get; set; }
  }

To add the user id to the Debtor, we just need to use the UserManager service to get the id of the current user and store this before saving the Debtor entity.

 [Authorize(Roles = "Administrator")]
    public class NewDebtorModel : BasePageModel
    {   
        ....CODE REMOVED FOR SIMPLICITY

        public async Task<IActionResult> OnPostAsync([Bind("FirstName,LastName,Email,IBAN")]Debtor debtor)
        {
            if (!ModelState.IsValid)
            {
                return Page();
            }

            debtor.OwnerID = UserManager.GetUserId(User);
            Context.Add(debtor);
            await Context.SaveChangesAsync();

            return RedirectToPage("./ViewDebtor", new { id = debtor.DebtorID });
        }
    }

Before we can use our newly defined handler and requirement, we will need to add them to our startup.cs. In our ConfigureServices method, we will add our requirement and map it to a name. In our case, "DebtorEditPolicy".

public void ConfigureServices(IServiceCollection services)
{
....
services.AddAuthorization(options =>
            {
                options.AddPolicy("DebtorEditPolicy", policy => policy.Requirements.Add(new SameDebtorOwnerRequirment()));
            });

            services.AddScoped<IAuthorizationHandler, DebtorAuthorizationHandler>();
}

Finally, we are now ready to add support to our pages to utilize our defined requirements and handler. To support this, we will need to make sure that our razor page has access to the web application's authorization service. This can be accomplished by passing in the authorization service to the page's constructor via dependency injection. Afterwards, we can then utilize the authorization service in our page's methods to enforce our requirements.

One of our main requirements is that our created Debtors can only be modified by their owner. In our update metho,d we will add the following to account for this.

public async Task<ActionResult> OnPostAsync(int? id)
{
            ....

            Debtor debtorToEdit = await Context.Debtors.FirstOrDefaultAsync(item => item.DebtorID == id);

            AuthorizationResult result = await AuthorizationService.AuthorizeAsync(User, debtorToEdit, "DebtorEditPolicy");
            if(!result.Succeeded)
            {
               return new ForbidResult();
            }

            ....
}

If the current user is not signed in or not the creator of the resource, they will then receive an access denied message.

Resource Based Authorization using Razor Pages - PART 1

Carlos Jimenez — Thu, 07 Nov 2019 00:00:00 +0000

User's of your web application will access a variety of different resources over time. Often, access to these resources will need to be limited according to some predefined criteria. You can accomplish this in a .Net Core Razor Pages application by adding authorization to the web app. We will cover how to add authorization to your razor page's application using a demo application. This demo application provides a web-based interface to manage debtors and any associated invoices they may have. This post will be split into two separate posts. This first one will cover adding the roles to your application and requiring the administrator role to create a new debtor. The second post will include restricting the ability to modify an existing debtor to only the debtor's creator.

Before adding authorization to your application, your .Net Core app needs to have an identity, and an authentication system implemented. This article will not cover how to add authentication to your application. The demo application in this example uses .Net Core's native authentication, along with Google authentication as a secondary identity provider. The Github for this project can be found here.

Defining the Authorization Requirements

To add authorization to your application, you will first need to understand what you are trying to accomplish. In other words, what are your goals?

In this case, our demo debtor application has the following requirements.

Users can only create new debtors with an administrator role.
Users can only make changes to an existing debtor if they are the creator of the debtor entity.

Requirement 1: Creating a New Debtor Requires the Administrator Role

Adding role-based authorization to your application is pretty straight-forward. .Net authorization can be enabled in your web application's configuration on start-up using some default settings. The debtor application uses the default identity set-up for local authentication by calling the IServiceCollection's AddDefaultIdentity<> method chain using .Net's standard configuration. We will add the role support to the method chain in our Startup.cs's ConfigureServices method:

services.AddDefaultIdentity<IdentityUser>()
.AddDefaultUI(UIFramework.Bootstrap4)
.AddRoles<IdentityRole>()
.AddEntityFrameworkStores<ApplicationDbContext>();

After enabling roles in the default identity configuration, we will need to seed the database with whatever roles your application will utilize. This will be a multiple-step process as we will be separating some of the configurations between two different classes. We will first create a new class where we can define our application roles. In this case, the debtor application will use the following two roles:

Administrator
User

I chose to implement a new enum class called ApplicationRoles.

Here is what the class files look like:

public enum ApplicationRoles { Administrator, User }

We will use this class to seed our database with these predefined roles.

Next, to manage our seeding, we will create a new class called DefaultAdminConfiguration. This class will seed the database with these two roles and also create a default admin account. The credentials for the default admin account will be loaded from our configuration file under the section of "AdminUserSettings." We will call the Initialize function of our DefaultAdminConfiguration in our startup.cs's Configure method.

public static class DefaultAdminConfiguration {
    public static async Task Initialize(IServiceProvider serviceProvider,
 IConfiguration configuration) {
    var roleManager = serviceProvider.GetRequiredService<RoleManager<IdentityRole>>();
    var userManager = serviceProvider.GetRequiredService<UserManager<IdentityUser>>();
    IdentityResult identityResult;
    foreach(var role in Enum.GetNames(typeof(ApplicationRoles))) {
      if(!(await roleManager.RoleExistsAsync(role))) {
        identityResult = await roleManager.CreateAsync(new IdentityRole(role));
      }
    } 
    IdentityUser adminUser = new IdentityUser { 
      UserName = configuration.GetSection("AdminUserSettings")["Email"], 
      Email = configuration.GetSection("AdminUserSettings")["Email"]
    };
    string password = configuration.GetSection("AdminUserSettings")["Password"];
    IdentityUser foundUser = await userManager.FindByEmailAsync(adminUser.Email);
    if(null == foundUser) { 
      IdentityResult createdUser = await userManager.CreateAsync(adminUser, password);
      if(createdUser.Succeeded) {
        await userManager.AddToRoleAsync(adminUser, ApplicationRoles.Administrator.ToString());}}}
}

Now, we add DefaultAdminConfiguration to our applications Startup.cs and call its initialize method in the Configure method.

public void Configure(IApplicationBuilder app, IHostingEnvironment env, IServiceProvider services) {
  .... 
  app.UseHttpsRedirection(); app.UseStaticFiles(); app.UseCookiePolicy();
  app.UseAuthentication(); 
  DefaultAdminConfiguration.Initialize(services, Configuration).Wait();
  app.UseMvc();
  }
}

To require that users of our application be a part of the administrator role to create a new debtor, we will need to add it to the designated pages. Open up the code behind of the CreateDebtor Razor Page located in our application's Pages/Debtors directory. We are going to add the Authorize attribute to our class with the role of "Administrator."

[Authorize(Roles = "Administrator")]public class NewDebtorModel : BasePageModel {...}

Now, if we run the application and try to create a new Debtor without having the administrator role, you will receive an access denied.

Adding role-based authorization is pretty straight forward. In part 2, we will see how we can use .Net's IAuthorizationRequirement and AuthorizationHandler to restrict a user's ability to modify debtors in the application.

Fighting Anxiety and Impostor Syndrome by Blogging

Carlos Jimenez — Tue, 27 Aug 2019 23:14:31 +0000

It was around February of 2018 when I decided to purchase my domains. I was a little excited, so I purchased three of them: cmjimenez.com, cmjimenez.net, cmjimenez.me. You know, just in case someone else might be looking to purchase them as well -_-. So, now I had three domains and no idea what I was going to do with any of them.

I spend a lot of my free time reading. Between Dev.To, Reddit, or Hackernoon, I can always manage to find something that would peak my interest. One topic that I always found interesting was on "why you should create your own blog". There were a number of reasons on why it was beneficial. Some post elaborated on how maintaining a blog would provide a way for you to document your work. Others highlighted the importance of being able to share their views and their unique approaches to solving certain problems. However, one of the most interesting things that I read about was about how creating a blog could also help boost my confidence. I never thought about it from that perspective before and I was willing to give it a try.

So, how would creating a blog help boost my confidence?

I often get anxiety when communicating with others - especially in a professional setting. I am pretty sure this anxiety stems from the slight insecurity that I have of not wanting to be wrong. I guess it is what is referred to as impostor syndrome. I am also not the only one who suffers from this detrimental mind state. I have read quite a few post that were written by individuals who also suffer from this way of thinking.

I think a lot of us are scared of being judged. My mind tends to think the worst in these situations, even if it is unwarranted. My drive to be a perfectionist tends to amplify these thoughts as well. By putting my self out there and writing a blog, I am making my self vulnerable. I will be sharing my views with others and in doing so, I hope to become more comfortable in these sort of situations. Now, I know there is nothing wrong with putting our selves out there. Hell, there is nothing wrong about being wrong either! When we are wrong, it provides an opportunity to learn something new.

So if your on the fence on creating a blog, just do it. If not for sharing with others, at least do it for your self. You have nothing to loose!

So here we are...

I started working on my website finally around December of 2018 and by February I released the first iteration of my website. It is now August of 2019 and I am finally releasing my blog. It probably should not have taken that long but that is a subject for another post in the future.

Cross post from my blog: https://www.cmjimenez.com/blog/why-i-created-a-blog