DEV Community: Leandro Veiga The latest articles on DEV Community by Leandro Veiga (@leandroveiga). https://dev.to/leandroveiga https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F2009087%2F173fdef0-e6b9-4a38-ae32-37f5ba01a1ab.jpg DEV Community: Leandro Veiga https://dev.to/leandroveiga en Future Trends and the Role of .NET 9 in the Evolution of Software Development Leandro Veiga Tue, 29 Apr 2025 18:00:00 +0000 https://dev.to/leandroveiga/future-trends-and-the-role-of-net-9-in-the-evolution-of-software-development-i8k https://dev.to/leandroveiga/future-trends-and-the-role-of-net-9-in-the-evolution-of-software-development-i8k <p>In this article, we’ll analyze how the innovations introduced in .NET 9 align with emerging software development trends, show practical code examples, discuss real-world use cases and best practices, and peek at what’s next in future .NET releases.</p> <h2> Table of Contents </h2> <ul> <li>Introduction</li> <li>Key Innovations in .NET 9</li> <li>Emerging Software Development Trends</li> <li>Alignment of .NET 9 with Future Trends</li> <li> Practical Code Examples <ul> <li> URL-Safe Encoding with Base64Url </li> <li> Rate Limiting with the Built-In API </li> </ul> </li> <li>Use Cases &amp; Adoption Scenarios</li> <li> Best Practices </li> <li>Looking Ahead: What to Expect in .NET 10+</li> <li>Conclusion</li> </ul> <h2> Introduction </h2> <p>The .NET ecosystem continues to evolve at a brisk pace. With each major release, Microsoft introduces features to improve performance, developer productivity, and cross-platform consistency. .NET 9 arrives at a time when cloud-native architectures, AI/ML integration, edge computing, and low-code trends are reshaping how we build software. Let’s see how .NET 9 helps you stay ahead of the curve.</p> <h2> Key Innovations in .NET 9 </h2> <p>.NET 9 brings a range of enhancements across the runtime, libraries, and SDK:</p> <ul> <li> <strong>Base64Url Class</strong>: A first-party, zero-allocation API for URL-safe Base64 encoding and decoding.</li> <li> <strong>Rate Limiting Middleware</strong>: New abstractions for defining fixed-window, sliding-window, and token-bucket policies.</li> <li> <strong>AOT &amp; NativeAOT Improvements</strong>: Faster startup, reduced memory footprint, and expanded platform support.</li> <li> <strong>Source Generator Enhancements</strong>: More powerful code-generation scenarios for JSON, logging, and DI.</li> <li> <strong>PeriodicTimer</strong>: Built-in timer abstraction for clean, efficient scheduling without <code>Task.Delay</code> loops.</li> </ul> <h2> Emerging Software Development Trends </h2> <p>As we look ahead, several trends are influencing architecture and tooling choices:</p> <ul> <li> <strong>Cloud-Native &amp; Microservices</strong>: Containerized workloads, serverless functions, and distributed tracing.</li> <li> <strong>AI/ML Integration</strong>: Embedding cognitive services, on-device inference, and pipeline orchestration.</li> <li> <strong>Edge &amp; IoT</strong>: Lightweight runtimes, offline modes, and low-latency processing.</li> <li> <strong>Observability &amp; Reliability</strong>: Built-in metrics, logs, and tracing for proactive incident response.</li> <li> <strong>Developer Productivity</strong>: Source generators, faster builds, IDE enhancements, and low-code platforms.</li> </ul> <h2> Alignment of .NET 9 with Future Trends </h2> <p>.NET 9 addresses these trends through:</p> <ul> <li> <strong>Performance &amp; AOT</strong>: NativeAOT’s faster startup suits edge/IoT and serverless.</li> <li> <strong>Built-In Middleware</strong>: Rate limiting and Base64Url reduce reliance on third-party libraries.</li> <li> <strong>Scheduling Primitives</strong>: <code>PeriodicTimer</code> simplifies background tasks in microservices.</li> <li> <strong>Enhanced Source Generators</strong>: Automate serialization and logging for observability.</li> <li> <strong>Cross-Platform Consistency</strong>: Uniform behavior on Windows, Linux, macOS, and mobile.</li> </ul> <h2> Practical Code Examples </h2> <h3> URL-Safe Encoding with Base64Url <a></a> </h3> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="k">using</span> <span class="nn">System</span><span class="p">;</span> <span class="k">using</span> <span class="nn">System.Text</span><span class="p">;</span> <span class="k">class</span> <span class="nc">Program</span> <span class="p">{</span> <span class="k">static</span> <span class="k">void</span> <span class="nf">Main</span><span class="p">()</span> <span class="p">{</span> <span class="kt">string</span> <span class="n">payload</span> <span class="p">=</span> <span class="s">"user=42;exp=1700000000"</span><span class="p">;</span> <span class="kt">byte</span><span class="p">[]</span> <span class="n">data</span> <span class="p">=</span> <span class="n">Encoding</span><span class="p">.</span><span class="n">UTF8</span><span class="p">.</span><span class="nf">GetBytes</span><span class="p">(</span><span class="n">payload</span><span class="p">);</span> <span class="c1">// Encode to URL-safe Base64</span> <span class="kt">string</span> <span class="n">token</span> <span class="p">=</span> <span class="n">Base64Url</span><span class="p">.</span><span class="nf">Encode</span><span class="p">(</span><span class="n">data</span><span class="p">);</span> <span class="n">Console</span><span class="p">.</span><span class="nf">WriteLine</span><span class="p">(</span><span class="s">$"Encoded Token: </span><span class="p">{</span><span class="n">token</span><span class="p">}</span><span class="s">"</span><span class="p">);</span> <span class="c1">// Decode back</span> <span class="kt">byte</span><span class="p">[]</span> <span class="n">decoded</span> <span class="p">=</span> <span class="n">Base64Url</span><span class="p">.</span><span class="nf">Decode</span><span class="p">(</span><span class="n">token</span><span class="p">);</span> <span class="n">Console</span><span class="p">.</span><span class="nf">WriteLine</span><span class="p">(</span><span class="s">$"Decoded: </span><span class="p">{</span><span class="n">Encoding</span><span class="p">.</span><span class="n">UTF8</span><span class="p">.</span><span class="nf">GetString</span><span class="p">(</span><span class="n">decoded</span><span class="p">)}</span><span class="s">"</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>This zero-allocation API replaces <code>+</code>, <code>/</code> with <code>-</code>, <code>_</code>, and handles padding automatically—ideal for JWTs, query strings, and presigned URLs.</p> <h3> Rate Limiting with the Built-In API <a></a> </h3> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="k">using</span> <span class="nn">Microsoft.AspNetCore.RateLimiting</span><span class="p">;</span> <span class="k">using</span> <span class="nn">System.Threading.RateLimiting</span><span class="p">;</span> <span class="kt">var</span> <span class="n">builder</span> <span class="p">=</span> <span class="n">WebApplication</span><span class="p">.</span><span class="nf">CreateBuilder</span><span class="p">(</span><span class="n">args</span><span class="p">);</span> <span class="n">builder</span><span class="p">.</span><span class="n">Services</span><span class="p">.</span><span class="nf">AddRateLimiter</span><span class="p">(</span><span class="n">options</span> <span class="p">=&gt;</span> <span class="p">{</span> <span class="n">options</span><span class="p">.</span><span class="nf">AddTokenBucketLimiter</span><span class="p">(</span><span class="s">"ApiPolicy"</span><span class="p">,</span> <span class="n">ctx</span> <span class="p">=&gt;</span> <span class="k">new</span> <span class="n">TokenBucketRateLimiterOptions</span> <span class="p">{</span> <span class="n">TokenLimit</span> <span class="p">=</span> <span class="m">100</span><span class="p">,</span> <span class="n">TokensPerPeriod</span> <span class="p">=</span> <span class="m">20</span><span class="p">,</span> <span class="n">ReplenishmentPeriod</span> <span class="p">=</span> <span class="n">TimeSpan</span><span class="p">.</span><span class="nf">FromSeconds</span><span class="p">(</span><span class="m">1</span><span class="p">),</span> <span class="n">QueueLimit</span> <span class="p">=</span> <span class="m">10</span><span class="p">,</span> <span class="n">AutoReplenishment</span> <span class="p">=</span> <span class="k">true</span> <span class="p">});</span> <span class="p">});</span> <span class="kt">var</span> <span class="n">app</span> <span class="p">=</span> <span class="n">builder</span><span class="p">.</span><span class="nf">Build</span><span class="p">();</span> <span class="n">app</span><span class="p">.</span><span class="nf">UseRateLimiter</span><span class="p">();</span> <span class="n">app</span><span class="p">.</span><span class="nf">MapGet</span><span class="p">(</span><span class="s">"/data"</span><span class="p">,</span> <span class="p">()</span> <span class="p">=&gt;</span> <span class="s">"Hello, World!"</span><span class="p">)</span> <span class="p">.</span><span class="nf">RequireRateLimiting</span><span class="p">(</span><span class="s">"ApiPolicy"</span><span class="p">);</span> <span class="n">app</span><span class="p">.</span><span class="nf">Run</span><span class="p">();</span> </code></pre> </div> <p>This built-in middleware gives you fine-grained control without external dependencies.</p> <h2> Use Cases &amp; Adoption Scenarios <a></a> </h2> <ul> <li> <strong>API Gateways &amp; Edge Proxies</strong>: Enforce rate limiting and URL-safe tokens.</li> <li> <strong>Microservices</strong>: Schedule periodic jobs with <code>PeriodicTimer</code>, handle load shedding.</li> <li> <strong>IoT &amp; Edge</strong>: Use NativeAOT builds for small footprints and fast cold starts.</li> <li> <strong>Secure Token Services</strong>: Issue and validate URL-safe tokens natively.</li> <li> <strong>Observability Pipelines</strong>: Source-generated serializers for logs and metrics.</li> </ul> <h2> Best Practices </h2> <ul> <li> <strong>Embrace Zero-Allocation APIs</strong>: Use <code>Base64Url</code> and <code>RateLimiter</code> for critical paths.</li> <li> <strong>Prefer NativeAOT</strong>: For edge devices and serverless, compile ahead-of-time.</li> <li> <strong>Use Source Generators</strong>: Automate JSON, logging, and DI boilerplate.</li> <li> <strong>Monitor &amp; Trace</strong>: Integrate OpenTelemetry and Application Insights.</li> <li> <strong>Secure by Design</strong>: Always validate tokens, handle exceptions, enforce HTTPS.</li> <li> <strong>CI/CD &amp; A/B Testing</strong>: Automate AOT builds and feature rollouts.</li> </ul> <h2> Looking Ahead: What to Expect in .NET 10+ </h2> <p>While .NET 9 focuses on performance and core libraries, future releases may bring:</p> <ul> <li> <strong>Enhanced ML.NET Integration</strong>: Built-in model serving in ASP.NET.</li> <li> <strong>Low-Code + API Composition</strong>: Drag-and-drop workflows generating C# code.</li> <li> <strong>Deeper AI Tooling</strong>: First-class support for LLMs and vector search.</li> <li> <strong>Expanded Platform Coverage</strong>: WebAssembly AOT for Blazor and edge runtimes.</li> <li> <strong>Unified Telemetry</strong>: Automatic tracing and correlation across services.</li> </ul> <h2> Conclusion </h2> <p>.NET 9 is a strategic step toward a future where software is faster, more secure, and seamlessly integrated with cloud, edge, and AI ecosystems. By adopting its new features—Base64Url, Rate Limiting, AOT improvements, and enhanced source generators—you’ll be ready for the next wave of software development.</p> <p>What future .NET feature are you most excited about? Share your thoughts in the comments!</p> <p><strong>Happy coding!</strong></p> dotnet csharp programming news Efficient Background Jobs & Scheduled Tasks in .NET 8 with Hosted Services Leandro Veiga Sat, 26 Apr 2025 15:08:25 +0000 https://dev.to/leandroveiga/efficient-background-jobs-scheduled-tasks-in-net-8-with-hosted-services-50pk https://dev.to/leandroveiga/efficient-background-jobs-scheduled-tasks-in-net-8-with-hosted-services-50pk <p>In this post, we'll dive into how to run background jobs and schedule recurring tasks in .NET 8 using built-in Hosted Services. You’ll see:</p> <ul> <li>How to implement IHostedService and BackgroundService</li> <li>Strategies for scheduling (Timers, Cron)</li> <li>Real-world use cases (email sending, data cleanup, queue processing)</li> <li>Best practices for reliability, graceful shutdown, and observability</li> </ul> <p>Let’s get started!</p> <h1> Table of Contents </h1> <ul> <li>Introduction</li> <li>Understanding Hosted Services</li> <li>Creating a Simple BackgroundService</li> <li>Scheduling Recurring Tasks</li> <li>Handling One-Off Background Jobs</li> <li>Use Cases &amp; Examples</li> <li>Best Practices</li> <li>Conclusion</li> </ul> <h1> Introduction </h1> <p>Background jobs and scheduled tasks are essential for:</p> <ul> <li>Processing messages or workqueues</li> <li>Periodic cleanup (logs, cache)</li> <li>Sending emails or notifications</li> <li>Data aggregation or reporting</li> </ul> <p>.NET 8’s Hosted Services (IHostedService/BackgroundService) provide a clean, DI-friendly way to run these tasks alongside your Web or API application.</p> <h1> Understanding Hosted Services </h1> <p>A Hosted Service is a class that runs in the background of your application. There are two main approaches:</p> <ul> <li> <strong>Implement IHostedService</strong> <ul> <li>Two methods: StartAsync(CancellationToken) and StopAsync(CancellationToken).</li> </ul> </li> <li> <strong>Derive from BackgroundService</strong> <ul> <li>Override ExecuteAsync(CancellationToken) for a long-running loop.</li> </ul> </li> </ul> <p>Both integrate with the Generic Host (WebApplication in minimal APIs or HostBuilder), support DI, configuration, and graceful shutdown.</p> <h1> Creating a Simple BackgroundService </h1> <p>Here's a minimal example of a service that logs a message every 10 seconds:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="k">using</span> <span class="nn">System</span><span class="p">;</span> <span class="k">using</span> <span class="nn">System.Threading</span><span class="p">;</span> <span class="k">using</span> <span class="nn">System.Threading.Tasks</span><span class="p">;</span> <span class="k">using</span> <span class="nn">Microsoft.Extensions.Hosting</span><span class="p">;</span> <span class="k">using</span> <span class="nn">Microsoft.Extensions.Logging</span><span class="p">;</span> <span class="k">public</span> <span class="k">class</span> <span class="nc">TimedLoggerService</span> <span class="p">:</span> <span class="n">BackgroundService</span> <span class="p">{</span> <span class="k">private</span> <span class="k">readonly</span> <span class="n">ILogger</span><span class="p">&lt;</span><span class="n">TimedLoggerService</span><span class="p">&gt;</span> <span class="n">_logger</span><span class="p">;</span> <span class="k">private</span> <span class="k">readonly</span> <span class="n">TimeSpan</span> <span class="n">_interval</span> <span class="p">=</span> <span class="n">TimeSpan</span><span class="p">.</span><span class="nf">FromSeconds</span><span class="p">(</span><span class="m">10</span><span class="p">);</span> <span class="k">public</span> <span class="nf">TimedLoggerService</span><span class="p">(</span><span class="n">ILogger</span><span class="p">&lt;</span><span class="n">TimedLoggerService</span><span class="p">&gt;</span> <span class="n">logger</span><span class="p">)</span> <span class="p">{</span> <span class="n">_logger</span> <span class="p">=</span> <span class="n">logger</span><span class="p">;</span> <span class="p">}</span> <span class="k">protected</span> <span class="k">override</span> <span class="k">async</span> <span class="n">Task</span> <span class="nf">ExecuteAsync</span><span class="p">(</span><span class="n">CancellationToken</span> <span class="n">stoppingToken</span><span class="p">)</span> <span class="p">{</span> <span class="n">_logger</span><span class="p">.</span><span class="nf">LogInformation</span><span class="p">(</span><span class="s">"TimedLoggerService started."</span><span class="p">);</span> <span class="k">while</span> <span class="p">(!</span><span class="n">stoppingToken</span><span class="p">.</span><span class="n">IsCancellationRequested</span><span class="p">)</span> <span class="p">{</span> <span class="n">_logger</span><span class="p">.</span><span class="nf">LogInformation</span><span class="p">(</span><span class="s">"TimedLoggerService heartbeat at: {time}"</span><span class="p">,</span> <span class="n">DateTimeOffset</span><span class="p">.</span><span class="n">Now</span><span class="p">);</span> <span class="k">await</span> <span class="n">Task</span><span class="p">.</span><span class="nf">Delay</span><span class="p">(</span><span class="n">_interval</span><span class="p">,</span> <span class="n">stoppingToken</span><span class="p">);</span> <span class="p">}</span> <span class="n">_logger</span><span class="p">.</span><span class="nf">LogInformation</span><span class="p">(</span><span class="s">"TimedLoggerService stopping."</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Register it in <code>Program.cs</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="kt">var</span> <span class="n">builder</span> <span class="p">=</span> <span class="n">WebApplication</span><span class="p">.</span><span class="nf">CreateBuilder</span><span class="p">(</span><span class="n">args</span><span class="p">);</span> <span class="n">builder</span><span class="p">.</span><span class="n">Services</span><span class="p">.</span><span class="n">AddHostedService</span><span class="p">&lt;</span><span class="n">TimedLoggerService</span><span class="p">&gt;();</span> <span class="kt">var</span> <span class="n">app</span> <span class="p">=</span> <span class="n">builder</span><span class="p">.</span><span class="nf">Build</span><span class="p">();</span> <span class="n">app</span><span class="p">.</span><span class="nf">Run</span><span class="p">();</span> </code></pre> </div> <h1> Scheduling Recurring Tasks </h1> <h2> Using PeriodicTimer </h2> <p>In .NET 8 you can use <code>PeriodicTimer</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="k">protected</span> <span class="k">override</span> <span class="k">async</span> <span class="n">Task</span> <span class="nf">ExecuteAsync</span><span class="p">(</span><span class="n">CancellationToken</span> <span class="n">stoppingToken</span><span class="p">)</span> <span class="p">{</span> <span class="k">using</span> <span class="nn">var</span> <span class="n">timer</span> <span class="p">=</span> <span class="k">new</span> <span class="nf">PeriodicTimer</span><span class="p">(</span><span class="n">TimeSpan</span><span class="p">.</span><span class="nf">FromMinutes</span><span class="p">(</span><span class="m">1</span><span class="p">));</span> <span class="k">while</span> <span class="p">(</span><span class="k">await</span> <span class="n">timer</span><span class="p">.</span><span class="nf">WaitForNextTickAsync</span><span class="p">(</span><span class="n">stoppingToken</span><span class="p">))</span> <span class="p">{</span> <span class="c1">// Your scheduled work here</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> Cron-Style Scheduling </h2> <p>For cron expressions, use a library like Cronos:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="k">using</span> <span class="nn">Cronos</span><span class="p">;</span> <span class="k">public</span> <span class="k">class</span> <span class="nc">CronJobService</span> <span class="p">:</span> <span class="n">BackgroundService</span> <span class="p">{</span> <span class="k">private</span> <span class="k">readonly</span> <span class="n">CronExpression</span> <span class="n">_expression</span> <span class="p">=</span> <span class="n">CronExpression</span><span class="p">.</span><span class="nf">Parse</span><span class="p">(</span><span class="s">"0 */5 * * * *"</span><span class="p">);</span> <span class="c1">// every 5 minutes</span> <span class="k">private</span> <span class="n">DateTimeOffset</span> <span class="n">_nextRun</span> <span class="p">=</span> <span class="n">DateTimeOffset</span><span class="p">.</span><span class="n">MinValue</span><span class="p">;</span> <span class="k">protected</span> <span class="k">override</span> <span class="k">async</span> <span class="n">Task</span> <span class="nf">ExecuteAsync</span><span class="p">(</span><span class="n">CancellationToken</span> <span class="n">stoppingToken</span><span class="p">)</span> <span class="p">{</span> <span class="k">while</span> <span class="p">(!</span><span class="n">stoppingToken</span><span class="p">.</span><span class="n">IsCancellationRequested</span><span class="p">)</span> <span class="p">{</span> <span class="kt">var</span> <span class="n">now</span> <span class="p">=</span> <span class="n">DateTimeOffset</span><span class="p">.</span><span class="n">Now</span><span class="p">;</span> <span class="k">if</span> <span class="p">(</span><span class="n">now</span> <span class="p">&gt;=</span> <span class="n">_nextRun</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// Do work</span> <span class="n">_nextRun</span> <span class="p">=</span> <span class="n">_expression</span><span class="p">.</span><span class="nf">GetNextOccurrence</span><span class="p">(</span><span class="n">now</span><span class="p">)</span> <span class="p">??</span> <span class="n">DateTimeOffset</span><span class="p">.</span><span class="n">MaxValue</span><span class="p">;</span> <span class="p">}</span> <span class="k">await</span> <span class="n">Task</span><span class="p">.</span><span class="nf">Delay</span><span class="p">(</span><span class="n">TimeSpan</span><span class="p">.</span><span class="nf">FromSeconds</span><span class="p">(</span><span class="m">30</span><span class="p">),</span> <span class="n">stoppingToken</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h1> Handling One-Off Background Jobs <a></a> </h1> <p>To enqueue fire-and-forget jobs (e.g., send an email after a request), use a <code>Channel&lt;T&gt;</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="k">public</span> <span class="k">interface</span> <span class="nc">IBackgroundJobQueue</span> <span class="p">{</span> <span class="n">ValueTask</span> <span class="nf">QueueJobAsync</span><span class="p">(</span><span class="n">Func</span><span class="p">&lt;</span><span class="n">CancellationToken</span><span class="p">,</span> <span class="n">Task</span><span class="p">&gt;</span> <span class="n">job</span><span class="p">);</span> <span class="n">ValueTask</span><span class="p">&lt;</span><span class="n">Func</span><span class="p">&lt;</span><span class="n">CancellationToken</span><span class="p">,</span> <span class="n">Task</span><span class="p">&gt;&gt;</span> <span class="nf">DequeueAsync</span><span class="p">(</span><span class="n">CancellationToken</span> <span class="n">cancellationToken</span><span class="p">);</span> <span class="p">}</span> <span class="k">public</span> <span class="k">class</span> <span class="nc">BackgroundJobQueue</span> <span class="p">:</span> <span class="n">IBackgroundJobQueue</span> <span class="p">{</span> <span class="k">private</span> <span class="k">readonly</span> <span class="n">Channel</span><span class="p">&lt;</span><span class="n">Func</span><span class="p">&lt;</span><span class="n">CancellationToken</span><span class="p">,</span> <span class="n">Task</span><span class="p">&gt;&gt;</span> <span class="n">_queue</span> <span class="p">=</span> <span class="n">Channel</span><span class="p">.</span><span class="n">CreateUnbounded</span><span class="p">&lt;</span><span class="n">Func</span><span class="p">&lt;</span><span class="n">CancellationToken</span><span class="p">,</span> <span class="n">Task</span><span class="p">&gt;&gt;();</span> <span class="k">public</span> <span class="k">async</span> <span class="n">ValueTask</span> <span class="nf">QueueJobAsync</span><span class="p">(</span><span class="n">Func</span><span class="p">&lt;</span><span class="n">CancellationToken</span><span class="p">,</span> <span class="n">Task</span><span class="p">&gt;</span> <span class="n">job</span><span class="p">)</span> <span class="p">=&gt;</span> <span class="k">await</span> <span class="n">_queue</span><span class="p">.</span><span class="n">Writer</span><span class="p">.</span><span class="nf">WriteAsync</span><span class="p">(</span><span class="n">job</span><span class="p">);</span> <span class="k">public</span> <span class="k">async</span> <span class="n">ValueTask</span><span class="p">&lt;</span><span class="n">Func</span><span class="p">&lt;</span><span class="n">CancellationToken</span><span class="p">,</span> <span class="n">Task</span><span class="p">&gt;&gt;</span> <span class="nf">DequeueAsync</span><span class="p">(</span><span class="n">CancellationToken</span> <span class="n">token</span><span class="p">)</span> <span class="p">=&gt;</span> <span class="k">await</span> <span class="n">_queue</span><span class="p">.</span><span class="n">Reader</span><span class="p">.</span><span class="nf">ReadAsync</span><span class="p">(</span><span class="n">token</span><span class="p">);</span> <span class="p">}</span> <span class="k">public</span> <span class="k">class</span> <span class="nc">QueuedHostedService</span> <span class="p">:</span> <span class="n">BackgroundService</span> <span class="p">{</span> <span class="k">private</span> <span class="k">readonly</span> <span class="n">IBackgroundJobQueue</span> <span class="n">_jobQueue</span><span class="p">;</span> <span class="k">private</span> <span class="k">readonly</span> <span class="n">ILogger</span><span class="p">&lt;</span><span class="n">QueuedHostedService</span><span class="p">&gt;</span> <span class="n">_logger</span><span class="p">;</span> <span class="k">public</span> <span class="nf">QueuedHostedService</span><span class="p">(</span><span class="n">IBackgroundJobQueue</span> <span class="n">jobQueue</span><span class="p">,</span> <span class="n">ILogger</span><span class="p">&lt;</span><span class="n">QueuedHostedService</span><span class="p">&gt;</span> <span class="n">logger</span><span class="p">)</span> <span class="p">{</span> <span class="n">_jobQueue</span> <span class="p">=</span> <span class="n">jobQueue</span><span class="p">;</span> <span class="n">_logger</span> <span class="p">=</span> <span class="n">logger</span><span class="p">;</span> <span class="p">}</span> <span class="k">protected</span> <span class="k">override</span> <span class="k">async</span> <span class="n">Task</span> <span class="nf">ExecuteAsync</span><span class="p">(</span><span class="n">CancellationToken</span> <span class="n">stoppingToken</span><span class="p">)</span> <span class="p">{</span> <span class="k">while</span> <span class="p">(!</span><span class="n">stoppingToken</span><span class="p">.</span><span class="n">IsCancellationRequested</span><span class="p">)</span> <span class="p">{</span> <span class="kt">var</span> <span class="n">job</span> <span class="p">=</span> <span class="k">await</span> <span class="n">_jobQueue</span><span class="p">.</span><span class="nf">DequeueAsync</span><span class="p">(</span><span class="n">stoppingToken</span><span class="p">);</span> <span class="k">try</span> <span class="p">{</span> <span class="k">await</span> <span class="nf">job</span><span class="p">(</span><span class="n">stoppingToken</span><span class="p">);</span> <span class="p">}</span> <span class="k">catch</span> <span class="p">(</span><span class="n">Exception</span> <span class="n">ex</span><span class="p">)</span> <span class="p">{</span> <span class="n">_logger</span><span class="p">.</span><span class="nf">LogError</span><span class="p">(</span><span class="n">ex</span><span class="p">,</span> <span class="s">"Error executing job"</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Register in <code>Program.cs</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="n">builder</span><span class="p">.</span><span class="n">Services</span><span class="p">.</span><span class="n">AddSingleton</span><span class="p">&lt;</span><span class="n">IBackgroundJobQueue</span><span class="p">,</span> <span class="n">BackgroundJobQueue</span><span class="p">&gt;();</span> <span class="n">builder</span><span class="p">.</span><span class="n">Services</span><span class="p">.</span><span class="n">AddHostedService</span><span class="p">&lt;</span><span class="n">QueuedHostedService</span><span class="p">&gt;();</span> </code></pre> </div> <h1> Use Cases &amp; Examples <a></a> </h1> <ul> <li> <strong>Email &amp; Notification Sending</strong>: Offload slow SMTP calls.</li> <li> <strong>Data Cleanup</strong>: Remove stale records or temp files on a schedule.</li> <li> <strong>Message Processing</strong>: Consume a queue or topic (RabbitMQ, Azure Service Bus).</li> <li> <strong>Report Generation</strong>: Build and store reports during off-peak hours.</li> </ul> <h1> Best Practices </h1> <ul> <li> <strong>Graceful Shutdown</strong>: Honor the CancellationToken and clean up resources.</li> <li> <strong>Exception Handling</strong>: Catch exceptions inside loops to avoid crashing the service.</li> <li> <strong>Logging &amp; Metrics</strong>: Instrument your service with logs and counters (e.g., Prometheus).</li> <li> <strong>Dependency Injection</strong>: Inject only scoped or singleton services appropriately.</li> <li> <strong>Backoff &amp; Retry</strong>: Implement retry policies with exponential backoff for transient failures.</li> <li> <strong>Health Checks</strong>: Expose health endpoints to monitor background service status.</li> </ul> <h1> Conclusion </h1> <p>Hosted Services in .NET 8 provide a powerful and flexible way to run background jobs and scheduled tasks. By following these examples and best practices, you can build reliable, maintainable, and observable background processing in your applications.</p> <p>Feel free to share your own experiences or questions in the comments below!</p> <p><strong>Happy coding!</strong></p> csharp dotnet programming tutorial Mastering URL‑Safe Encoding with .NET 9’s Base64Url Class: Examples & Best Practices Leandro Veiga Wed, 23 Apr 2025 00:28:10 +0000 https://dev.to/leandroveiga/mastering-url-safe-encoding-with-net-9s-base64url-class-examples-best-practices-2pp0 https://dev.to/leandroveiga/mastering-url-safe-encoding-with-net-9s-base64url-class-examples-best-practices-2pp0 <p>With .NET 9 Microsoft has introduced a dedicated <code>Base64Url</code> class to streamline URL‑safe Base64 encoding and decoding. In this post, you’ll learn:</p> <ul> <li>Why URL‑safe Base64 matters</li> <li>How to use the new Base64Url API in .NET 9</li> <li>Real‑world use cases (tokens, query strings, data embedding)</li> <li>Best practices to avoid common pitfalls</li> </ul> <p>Let’s dive in!</p> <h2> Table of Contents </h2> <ul> <li>Introduction</li> <li>Why URL‑Safe Base64?</li> <li>The .NET 9 Base64Url Class</li> <li> Code Examples <ul> <li>Encoding &amp; Decoding Strings</li> <li>Working with Binary Data</li> <li>Integrating with ASP.NET Core</li> </ul> </li> <li>Common Use Cases</li> <li>Best Practices</li> <li>Conclusion</li> </ul> <h2> Introduction </h2> <p>Base64 is a popular encoding mechanism for binary-to-text transformations. However, standard Base64 uses characters like <code>+</code>, <code>/</code>, and <code>=</code> which can break URLs or require extra escaping. URL‑safe Base64 replaces these with <code>-</code>, <code>_</code>, and omits padding, making it ideal for tokens, query parameters, and other web contexts.</p> <p>.NET 9’s new <code>Base64Url</code> class provides:</p> <ul> <li>Simple, zero‑allocation methods</li> <li>Consistent behavior across platforms</li> <li>Built‑in handling of padding and illegal characters</li> </ul> <h2> Why URL‑Safe Base64? <a></a> </h2> <p><strong>Standard Base64:</strong></p> <ul> <li>Uses <code>+</code> and <code>/</code> in its alphabet</li> <li>Adds <code>=</code> padding at the end</li> <li>Requires URL‑encoding when used in query strings</li> <li>Can introduce parsing errors or double‑encoding</li> </ul> <p><strong>URL‑safe Base64:</strong></p> <ul> <li>Substitutes <code>+</code> → <code>-</code> and <code>/</code> → <code>_</code> </li> <li>Omits or gracefully handles padding</li> <li>Safe to embed in URLs without extra encoding</li> </ul> <h2> The .NET 9 Base64Url Class <a></a> </h2> <p>The new class lives in the <code>System</code> namespace:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="k">namespace</span> <span class="nn">System</span> <span class="p">{</span> <span class="k">public</span> <span class="k">static</span> <span class="k">class</span> <span class="nc">Base64Url</span> <span class="p">{</span> <span class="k">public</span> <span class="k">static</span> <span class="kt">string</span> <span class="nf">Encode</span><span class="p">(</span><span class="kt">byte</span><span class="p">[]</span> <span class="n">data</span><span class="p">);</span> <span class="k">public</span> <span class="k">static</span> <span class="kt">byte</span><span class="p">[]</span> <span class="nf">Decode</span><span class="p">(</span><span class="kt">string</span> <span class="n">urlSafeBase64</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><strong>Key points:</strong></p> <ul> <li> <code>Encode(byte[])</code> produces a URL‑safe string (no <code>+</code>, <code>/</code>, or trailing <code>=</code>).</li> <li> <code>Decode(string)</code> accepts padded or unpadded URL‑safe Base64 strings.</li> </ul> <h2> Code Examples </h2> <h3> Encoding &amp; Decoding Strings <a></a> </h3> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="k">using</span> <span class="nn">System</span><span class="p">;</span> <span class="k">using</span> <span class="nn">System.Text</span><span class="p">;</span> <span class="k">class</span> <span class="nc">Program</span> <span class="p">{</span> <span class="k">static</span> <span class="k">void</span> <span class="nf">Main</span><span class="p">()</span> <span class="p">{</span> <span class="kt">string</span> <span class="n">original</span> <span class="p">=</span> <span class="s">"Hello, .NET 9!"</span><span class="p">;</span> <span class="kt">byte</span><span class="p">[]</span> <span class="n">bytes</span> <span class="p">=</span> <span class="n">Encoding</span><span class="p">.</span><span class="n">UTF8</span><span class="p">.</span><span class="nf">GetBytes</span><span class="p">(</span><span class="n">original</span><span class="p">);</span> <span class="c1">// Encode to URL-safe Base64</span> <span class="kt">string</span> <span class="n">encoded</span> <span class="p">=</span> <span class="n">Base64Url</span><span class="p">.</span><span class="nf">Encode</span><span class="p">(</span><span class="n">bytes</span><span class="p">);</span> <span class="n">Console</span><span class="p">.</span><span class="nf">WriteLine</span><span class="p">(</span><span class="s">$"Encoded: </span><span class="p">{</span><span class="n">encoded</span><span class="p">}</span><span class="s">"</span><span class="p">);</span> <span class="c1">// e.g. "SGVsbG8sIC5ORGVDOSA"</span> <span class="c1">// Decode back to bytes</span> <span class="kt">byte</span><span class="p">[]</span> <span class="n">decodedBytes</span> <span class="p">=</span> <span class="n">Base64Url</span><span class="p">.</span><span class="nf">Decode</span><span class="p">(</span><span class="n">encoded</span><span class="p">);</span> <span class="kt">string</span> <span class="n">decoded</span> <span class="p">=</span> <span class="n">Encoding</span><span class="p">.</span><span class="n">UTF8</span><span class="p">.</span><span class="nf">GetString</span><span class="p">(</span><span class="n">decodedBytes</span><span class="p">);</span> <span class="n">Console</span><span class="p">.</span><span class="nf">WriteLine</span><span class="p">(</span><span class="s">$"Decoded: </span><span class="p">{</span><span class="n">decoded</span><span class="p">}</span><span class="s">"</span><span class="p">);</span> <span class="c1">// "Hello, .NET 9!"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h3> Working with Binary Data </h3> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="k">using</span> <span class="nn">System</span><span class="p">;</span> <span class="k">using</span> <span class="nn">System.Security.Cryptography</span><span class="p">;</span> <span class="k">class</span> <span class="nc">BinaryExample</span> <span class="p">{</span> <span class="k">static</span> <span class="k">void</span> <span class="nf">Main</span><span class="p">()</span> <span class="p">{</span> <span class="c1">// Generate a random 32-byte key</span> <span class="kt">byte</span><span class="p">[]</span> <span class="n">key</span> <span class="p">=</span> <span class="n">RandomNumberGenerator</span><span class="p">.</span><span class="nf">GetBytes</span><span class="p">(</span><span class="m">32</span><span class="p">);</span> <span class="c1">// URL-safe encode the key</span> <span class="kt">string</span> <span class="n">keyToken</span> <span class="p">=</span> <span class="n">Base64Url</span><span class="p">.</span><span class="nf">Encode</span><span class="p">(</span><span class="n">key</span><span class="p">);</span> <span class="n">Console</span><span class="p">.</span><span class="nf">WriteLine</span><span class="p">(</span><span class="s">$"Key Token: </span><span class="p">{</span><span class="n">keyToken</span><span class="p">}</span><span class="s">"</span><span class="p">);</span> <span class="c1">// Later: decode back to raw key</span> <span class="kt">byte</span><span class="p">[]</span> <span class="n">rawKey</span> <span class="p">=</span> <span class="n">Base64Url</span><span class="p">.</span><span class="nf">Decode</span><span class="p">(</span><span class="n">keyToken</span><span class="p">);</span> <span class="n">Console</span><span class="p">.</span><span class="nf">WriteLine</span><span class="p">(</span><span class="s">$"Key Length: </span><span class="p">{</span><span class="n">rawKey</span><span class="p">.</span><span class="n">Length</span><span class="p">}</span><span class="s"> bytes"</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h3> Integrating with ASP.NET Core </h3> <p>Embed URL‑safe tokens in query strings or headers:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="n">app</span><span class="p">.</span><span class="nf">MapGet</span><span class="p">(</span><span class="s">"/token"</span><span class="p">,</span> <span class="p">()</span> <span class="p">=&gt;</span> <span class="p">{</span> <span class="kt">var</span> <span class="n">payload</span> <span class="p">=</span> <span class="n">Encoding</span><span class="p">.</span><span class="n">UTF8</span><span class="p">.</span><span class="nf">GetBytes</span><span class="p">(</span><span class="s">"user-id=42;exp=1699999999"</span><span class="p">);</span> <span class="kt">var</span> <span class="n">token</span> <span class="p">=</span> <span class="n">Base64Url</span><span class="p">.</span><span class="nf">Encode</span><span class="p">(</span><span class="n">payload</span><span class="p">);</span> <span class="k">return</span> <span class="n">Results</span><span class="p">.</span><span class="nf">Ok</span><span class="p">(</span><span class="k">new</span> <span class="p">{</span> <span class="n">token</span> <span class="p">});</span> <span class="p">});</span> <span class="n">app</span><span class="p">.</span><span class="nf">MapGet</span><span class="p">(</span><span class="s">"/validate"</span><span class="p">,</span> <span class="p">(</span><span class="kt">string</span> <span class="n">token</span><span class="p">)</span> <span class="p">=&gt;</span> <span class="p">{</span> <span class="k">try</span> <span class="p">{</span> <span class="kt">var</span> <span class="n">data</span> <span class="p">=</span> <span class="n">Base64Url</span><span class="p">.</span><span class="nf">Decode</span><span class="p">(</span><span class="n">token</span><span class="p">);</span> <span class="kt">string</span> <span class="n">text</span> <span class="p">=</span> <span class="n">Encoding</span><span class="p">.</span><span class="n">UTF8</span><span class="p">.</span><span class="nf">GetString</span><span class="p">(</span><span class="n">data</span><span class="p">);</span> <span class="k">return</span> <span class="n">Results</span><span class="p">.</span><span class="nf">Ok</span><span class="p">(</span><span class="k">new</span> <span class="p">{</span> <span class="n">valid</span> <span class="p">=</span> <span class="k">true</span><span class="p">,</span> <span class="n">text</span> <span class="p">});</span> <span class="p">}</span> <span class="k">catch</span> <span class="p">(</span><span class="n">FormatException</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="n">Results</span><span class="p">.</span><span class="nf">BadRequest</span><span class="p">(</span><span class="s">"Invalid token format."</span><span class="p">);</span> <span class="p">}</span> <span class="p">});</span> </code></pre> </div> <h2> Common Use Cases </h2> <ul> <li> <strong>JWT &amp; OIDC</strong> – JSON Web Tokens use URL‑safe Base64 for header and payload segments.</li> <li> <strong>Query Parameters</strong> – Pass binary data or state tokens without further URL encoding.</li> <li> <strong>Short-Lived URLs</strong> – Sign URLs for temporary access (e.g., presigned file downloads).</li> <li> <strong>Embedded Metadata</strong> – Include user data in links or forms safely.</li> </ul> <h2> Best Practices </h2> <ul> <li> <strong>Validate Input</strong>: Always wrap <code>Decode</code> in try/catch to handle malformed input.</li> <li> <strong>Avoid Manual Padding</strong>: Let <code>Base64Url</code> handle padding rules automatically.</li> <li> <strong>Use in HTTPS</strong>: Although URL‑safe, still transmit sensitive tokens over secure channels.</li> <li> <strong>Log &amp; Monitor</strong>: Track decode failures to detect tampering or abuse.</li> <li> <strong>Cache Heavy Operations</strong>: If encoding large blobs frequently, consider caching results.</li> </ul> <h2> Conclusion </h2> <p>.NET 9’s <code>Base64Url</code> class simplifies URL‑safe encoding and decoding with a clean, reliable API. Whether you’re building authentication tokens, passing data in query strings, or signing URLs, <code>Base64Url</code> should be your go‑to tool.</p> <p>Give it a try in your next .NET 9 project, and let me know how you use it!</p> <p><strong>Happy coding!</strong></p> csharp dotnet programming tutorial Secure Authentication & Authorization in ASP.NET Core 9.0: A Step-by-Step Guide Leandro Veiga Sat, 19 Apr 2025 22:21:31 +0000 https://dev.to/leandroveiga/secure-authentication-authorization-in-aspnet-core-90-a-step-by-step-guide-36ll https://dev.to/leandroveiga/secure-authentication-authorization-in-aspnet-core-90-a-step-by-step-guide-36ll <p>In this post, we’ll walk through how to implement robust and secure authentication and authorization in ASP.NET Core 9.0. You’ll learn to leverage the newest APIs, configure JWT and cookie authentication, define fine‑grained policies, and apply best practices to protect your web apps and APIs.</p> <h2> Table of Contents </h2> <ul> <li>Introduction</li> <li>What’s New in ASP.NET Core 9.0 Auth</li> <li> Setting Up Authentication <ul> <li>JWT Bearer Authentication</li> <li>Cookie Authentication</li> </ul> </li> <li>Configuring Authorization Policies</li> <li>Securing Minimal APIs &amp; MVC Endpoints</li> <li>Best Practices for Secure Auth</li> <li>Conclusion</li> </ul> <h2> Introduction </h2> <p>Authentication verifies who a user is, while authorization controls what they can do. ASP.NET Core 9.0 introduces more streamlined and secure defaults for both. In this guide, we'll:</p> <ul> <li>Explain new authentication/authorization APIs</li> <li>Show code examples for JWT and cookie auth</li> <li>Define policy‑ and role‑based access</li> <li>Apply auth to Minimal APIs and MVC controllers</li> <li>Cover best practices to harden your application</li> </ul> <h2> What’s New in ASP.NET Core 9.0 Auth <a></a> </h2> <p>ASP.NET Core 9.0 enhances the security and developer experience by:</p> <ul> <li> <strong>Simplified Configuration</strong>: New extension overloads reduce boilerplate in Program.cs.</li> <li> <strong>Built‑In Secure Defaults</strong>: Enforces HTTPS, SameSite cookie mode, and stricter token validation by default.</li> <li> <strong>Endpoint‑Level Authorization</strong>: Fine‑grained <code>RequireAuthorization</code> with policy chaining for Minimal APIs.</li> <li> <strong>Improved DI for Auth Handlers</strong>: Custom handlers can now request scoped services directly, making policies more powerful.</li> </ul> <h2> Setting Up Authentication </h2> <p>In <code>Program.cs</code>, add authentication services before building the app:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="kt">var</span> <span class="n">builder</span> <span class="p">=</span> <span class="n">WebApplication</span><span class="p">.</span><span class="nf">CreateBuilder</span><span class="p">(</span><span class="n">args</span><span class="p">);</span> <span class="c1">// 1. Add Authentication &amp; configure schemes</span> <span class="n">builder</span><span class="p">.</span><span class="n">Services</span><span class="p">.</span><span class="nf">AddAuthentication</span><span class="p">(</span><span class="n">options</span> <span class="p">=&gt;</span> <span class="p">{</span> <span class="n">options</span><span class="p">.</span><span class="n">DefaultAuthenticateScheme</span> <span class="p">=</span> <span class="n">JwtBearerDefaults</span><span class="p">.</span><span class="n">AuthenticationScheme</span><span class="p">;</span> <span class="n">options</span><span class="p">.</span><span class="n">DefaultChallengeScheme</span> <span class="p">=</span> <span class="n">JwtBearerDefaults</span><span class="p">.</span><span class="n">AuthenticationScheme</span><span class="p">;</span> <span class="p">})</span> <span class="p">.</span><span class="nf">AddJwtBearer</span><span class="p">(</span><span class="n">options</span> <span class="p">=&gt;</span> <span class="p">{</span> <span class="n">options</span><span class="p">.</span><span class="n">TokenValidationParameters</span> <span class="p">=</span> <span class="k">new</span> <span class="n">TokenValidationParameters</span> <span class="p">{</span> <span class="n">ValidateIssuer</span> <span class="p">=</span> <span class="k">true</span><span class="p">,</span> <span class="n">ValidateAudience</span> <span class="p">=</span> <span class="k">true</span><span class="p">,</span> <span class="n">ValidateLifetime</span> <span class="p">=</span> <span class="k">true</span><span class="p">,</span> <span class="n">ValidIssuer</span> <span class="p">=</span> <span class="n">builder</span><span class="p">.</span><span class="n">Configuration</span><span class="p">[</span><span class="s">"Jwt:Issuer"</span><span class="p">],</span> <span class="n">ValidAudience</span> <span class="p">=</span> <span class="n">builder</span><span class="p">.</span><span class="n">Configuration</span><span class="p">[</span><span class="s">"Jwt:Audience"</span><span class="p">],</span> <span class="n">IssuerSigningKey</span> <span class="p">=</span> <span class="k">new</span> <span class="nf">SymmetricSecurityKey</span><span class="p">(</span> <span class="n">Encoding</span><span class="p">.</span><span class="n">UTF8</span><span class="p">.</span><span class="nf">GetBytes</span><span class="p">(</span><span class="n">builder</span><span class="p">.</span><span class="n">Configuration</span><span class="p">[</span><span class="s">"Jwt:Key"</span><span class="p">]))</span> <span class="p">};</span> <span class="p">})</span> <span class="p">.</span><span class="nf">AddCookie</span><span class="p">(</span><span class="s">"MyCookie"</span><span class="p">,</span> <span class="n">options</span> <span class="p">=&gt;</span> <span class="p">{</span> <span class="n">options</span><span class="p">.</span><span class="n">Cookie</span><span class="p">.</span><span class="n">HttpOnly</span> <span class="p">=</span> <span class="k">true</span><span class="p">;</span> <span class="n">options</span><span class="p">.</span><span class="n">Cookie</span><span class="p">.</span><span class="n">SameSite</span> <span class="p">=</span> <span class="n">SameSiteMode</span><span class="p">.</span><span class="n">Strict</span><span class="p">;</span> <span class="n">options</span><span class="p">.</span><span class="n">LoginPath</span> <span class="p">=</span> <span class="s">"/account/login"</span><span class="p">;</span> <span class="n">options</span><span class="p">.</span><span class="n">ExpireTimeSpan</span> <span class="p">=</span> <span class="n">TimeSpan</span><span class="p">.</span><span class="nf">FromMinutes</span><span class="p">(</span><span class="m">30</span><span class="p">);</span> <span class="p">});</span> </code></pre> </div> <h3> JWT Bearer Authentication </h3> <p>Issue tokens from your auth controller and validate them:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="n">app</span><span class="p">.</span><span class="nf">MapPost</span><span class="p">(</span><span class="s">"/token"</span><span class="p">,</span> <span class="p">([</span><span class="n">FromServices</span><span class="p">]</span> <span class="n">IConfiguration</span> <span class="n">config</span><span class="p">,</span> <span class="n">UserCredentials</span> <span class="n">creds</span><span class="p">)</span> <span class="p">=&gt;</span> <span class="p">{</span> <span class="k">if</span> <span class="p">(</span><span class="nf">ValidateUser</span><span class="p">(</span><span class="n">creds</span><span class="p">))</span> <span class="p">{</span> <span class="kt">var</span> <span class="n">claims</span> <span class="p">=</span> <span class="k">new</span><span class="p">[]</span> <span class="p">{</span> <span class="k">new</span> <span class="nf">Claim</span><span class="p">(</span><span class="n">ClaimTypes</span><span class="p">.</span><span class="n">Name</span><span class="p">,</span> <span class="n">creds</span><span class="p">.</span><span class="n">Username</span><span class="p">),</span> <span class="k">new</span> <span class="nf">Claim</span><span class="p">(</span><span class="n">ClaimTypes</span><span class="p">.</span><span class="n">Role</span><span class="p">,</span> <span class="s">"Admin"</span><span class="p">)</span> <span class="p">};</span> <span class="kt">var</span> <span class="n">key</span> <span class="p">=</span> <span class="k">new</span> <span class="nf">SymmetricSecurityKey</span><span class="p">(</span><span class="n">Encoding</span><span class="p">.</span><span class="n">UTF8</span><span class="p">.</span><span class="nf">GetBytes</span><span class="p">(</span><span class="n">config</span><span class="p">[</span><span class="s">"Jwt:Key"</span><span class="p">]));</span> <span class="kt">var</span> <span class="n">token</span> <span class="p">=</span> <span class="k">new</span> <span class="nf">JwtSecurityToken</span><span class="p">(</span> <span class="n">issuer</span><span class="p">:</span> <span class="n">config</span><span class="p">[</span><span class="s">"Jwt:Issuer"</span><span class="p">],</span> <span class="n">audience</span><span class="p">:</span> <span class="n">config</span><span class="p">[</span><span class="s">"Jwt:Audience"</span><span class="p">],</span> <span class="n">claims</span><span class="p">:</span> <span class="n">claims</span><span class="p">,</span> <span class="n">expires</span><span class="p">:</span> <span class="n">DateTime</span><span class="p">.</span><span class="n">UtcNow</span><span class="p">.</span><span class="nf">AddMinutes</span><span class="p">(</span><span class="m">15</span><span class="p">),</span> <span class="n">signingCredentials</span><span class="p">:</span> <span class="k">new</span> <span class="nf">SigningCredentials</span><span class="p">(</span><span class="n">key</span><span class="p">,</span> <span class="n">SecurityAlgorithms</span><span class="p">.</span><span class="n">HmacSha256</span><span class="p">));</span> <span class="k">return</span> <span class="n">Results</span><span class="p">.</span><span class="nf">Ok</span><span class="p">(</span><span class="k">new</span> <span class="p">{</span> <span class="n">token</span> <span class="p">=</span> <span class="k">new</span> <span class="nf">JwtSecurityTokenHandler</span><span class="p">().</span><span class="nf">WriteToken</span><span class="p">(</span><span class="n">token</span><span class="p">)</span> <span class="p">});</span> <span class="p">}</span> <span class="k">return</span> <span class="n">Results</span><span class="p">.</span><span class="nf">Unauthorized</span><span class="p">();</span> <span class="p">});</span> </code></pre> </div> <h3> Cookie Authentication </h3> <p>For server‑rendered apps or safe XSRF flows, use cookies:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="n">app</span><span class="p">.</span><span class="nf">MapPost</span><span class="p">(</span><span class="s">"/account/login"</span><span class="p">,</span> <span class="k">async</span> <span class="p">(</span><span class="n">HttpContext</span> <span class="n">http</span><span class="p">,</span> <span class="n">UserCredentials</span> <span class="n">creds</span><span class="p">)</span> <span class="p">=&gt;</span> <span class="p">{</span> <span class="k">if</span> <span class="p">(</span><span class="nf">ValidateUser</span><span class="p">(</span><span class="n">creds</span><span class="p">))</span> <span class="p">{</span> <span class="kt">var</span> <span class="n">claims</span> <span class="p">=</span> <span class="k">new</span> <span class="n">List</span><span class="p">&lt;</span><span class="n">Claim</span><span class="p">&gt;</span> <span class="p">{</span> <span class="k">new</span> <span class="nf">Claim</span><span class="p">(</span><span class="n">ClaimTypes</span><span class="p">.</span><span class="n">Name</span><span class="p">,</span> <span class="n">creds</span><span class="p">.</span><span class="n">Username</span><span class="p">),</span> <span class="k">new</span> <span class="nf">Claim</span><span class="p">(</span><span class="n">ClaimTypes</span><span class="p">.</span><span class="n">Role</span><span class="p">,</span> <span class="s">"User"</span><span class="p">)</span> <span class="p">};</span> <span class="kt">var</span> <span class="n">claimsIdentity</span> <span class="p">=</span> <span class="k">new</span> <span class="nf">ClaimsIdentity</span><span class="p">(</span><span class="n">claims</span><span class="p">,</span> <span class="s">"MyCookie"</span><span class="p">);</span> <span class="k">await</span> <span class="n">http</span><span class="p">.</span><span class="nf">SignInAsync</span><span class="p">(</span><span class="s">"MyCookie"</span><span class="p">,</span> <span class="k">new</span> <span class="nf">ClaimsPrincipal</span><span class="p">(</span><span class="n">claimsIdentity</span><span class="p">));</span> <span class="k">return</span> <span class="n">Results</span><span class="p">.</span><span class="nf">Redirect</span><span class="p">(</span><span class="s">"/"</span><span class="p">);</span> <span class="p">}</span> <span class="k">return</span> <span class="n">Results</span><span class="p">.</span><span class="nf">Unauthorized</span><span class="p">();</span> <span class="p">});</span> </code></pre> </div> <h2> Configuring Authorization Policies </h2> <p>Define policies in <code>Program.cs</code> before <code>builder.Build()</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="n">builder</span><span class="p">.</span><span class="n">Services</span><span class="p">.</span><span class="nf">AddAuthorization</span><span class="p">(</span><span class="n">options</span> <span class="p">=&gt;</span> <span class="p">{</span> <span class="n">options</span><span class="p">.</span><span class="nf">AddPolicy</span><span class="p">(</span><span class="s">"AdminOnly"</span><span class="p">,</span> <span class="n">policy</span> <span class="p">=&gt;</span> <span class="n">policy</span><span class="p">.</span><span class="nf">RequireAuthenticatedUser</span><span class="p">()</span> <span class="p">.</span><span class="nf">RequireRole</span><span class="p">(</span><span class="s">"Admin"</span><span class="p">));</span> <span class="n">options</span><span class="p">.</span><span class="nf">AddPolicy</span><span class="p">(</span><span class="s">"Over18"</span><span class="p">,</span> <span class="n">policy</span> <span class="p">=&gt;</span> <span class="n">policy</span><span class="p">.</span><span class="nf">RequireClaim</span><span class="p">(</span><span class="s">"DateOfBirth"</span><span class="p">)</span> <span class="p">.</span><span class="nf">RequireAssertion</span><span class="p">(</span><span class="n">context</span> <span class="p">=&gt;</span> <span class="p">{</span> <span class="kt">var</span> <span class="n">dob</span> <span class="p">=</span> <span class="n">DateTime</span><span class="p">.</span><span class="nf">Parse</span><span class="p">(</span><span class="n">context</span><span class="p">.</span><span class="n">User</span><span class="p">.</span><span class="nf">FindFirstValue</span><span class="p">(</span><span class="s">"DateOfBirth"</span><span class="p">)!);</span> <span class="k">return</span> <span class="p">(</span><span class="n">DateTime</span><span class="p">.</span><span class="n">Today</span> <span class="p">-</span> <span class="n">dob</span><span class="p">).</span><span class="n">TotalDays</span> <span class="p">&gt;=</span> <span class="m">18</span> <span class="p">*</span> <span class="m">365</span><span class="p">;</span> <span class="p">}));</span> <span class="p">});</span> </code></pre> </div> <p>Use custom authorization handlers for complex logic:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="k">public</span> <span class="k">class</span> <span class="nc">MinimumAgeHandler</span> <span class="p">:</span> <span class="n">AuthorizationHandler</span><span class="p">&lt;</span><span class="n">MinimumAgeRequirement</span><span class="p">&gt;</span> <span class="p">{</span> <span class="k">protected</span> <span class="k">override</span> <span class="n">Task</span> <span class="nf">HandleRequirementAsync</span><span class="p">(</span> <span class="n">AuthorizationHandlerContext</span> <span class="n">context</span><span class="p">,</span> <span class="n">MinimumAgeRequirement</span> <span class="n">requirement</span><span class="p">)</span> <span class="p">{</span> <span class="k">if</span> <span class="p">(</span><span class="n">context</span><span class="p">.</span><span class="n">User</span><span class="p">.</span><span class="nf">HasClaim</span><span class="p">(</span><span class="n">c</span> <span class="p">=&gt;</span> <span class="n">c</span><span class="p">.</span><span class="n">Type</span> <span class="p">==</span> <span class="n">ClaimTypes</span><span class="p">.</span><span class="n">DateOfBirth</span><span class="p">)</span> <span class="p">&amp;&amp;</span> <span class="n">DateTime</span><span class="p">.</span><span class="nf">TryParse</span><span class="p">(</span><span class="n">context</span><span class="p">.</span><span class="n">User</span><span class="p">.</span><span class="nf">FindFirstValue</span><span class="p">(</span><span class="n">ClaimTypes</span><span class="p">.</span><span class="n">DateOfBirth</span><span class="p">),</span> <span class="k">out</span> <span class="kt">var</span> <span class="n">dob</span><span class="p">))</span> <span class="p">{</span> <span class="kt">var</span> <span class="n">age</span> <span class="p">=</span> <span class="p">(</span><span class="n">DateTime</span><span class="p">.</span><span class="n">Today</span> <span class="p">-</span> <span class="n">dob</span><span class="p">).</span><span class="n">TotalDays</span> <span class="p">/</span> <span class="m">365</span><span class="p">;</span> <span class="k">if</span> <span class="p">(</span><span class="n">age</span> <span class="p">&gt;=</span> <span class="n">requirement</span><span class="p">.</span><span class="n">MinimumAge</span><span class="p">)</span> <span class="n">context</span><span class="p">.</span><span class="nf">Succeed</span><span class="p">(</span><span class="n">requirement</span><span class="p">);</span> <span class="p">}</span> <span class="k">return</span> <span class="n">Task</span><span class="p">.</span><span class="n">CompletedTask</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> Securing Minimal APIs &amp; MVC Endpoints <a></a> </h2> <p>After <code>app.UseAuthentication(); app.UseAuthorization();</code>, apply policies:</p> <p><strong>Minimal API</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="n">app</span><span class="p">.</span><span class="nf">MapGet</span><span class="p">(</span><span class="s">"/admin/data"</span><span class="p">,</span> <span class="p">()</span> <span class="p">=&gt;</span> <span class="s">"Secret Data"</span><span class="p">)</span> <span class="p">.</span><span class="nf">RequireAuthorization</span><span class="p">(</span><span class="s">"AdminOnly"</span><span class="p">);</span> </code></pre> </div> <p><strong>MVC Controller</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="p">[</span><span class="nf">Authorize</span><span class="p">(</span><span class="n">Policy</span> <span class="p">=</span> <span class="s">"Over18"</span><span class="p">)]</span> <span class="k">public</span> <span class="k">class</span> <span class="nc">ContentController</span> <span class="p">:</span> <span class="n">Controller</span> <span class="p">{</span> <span class="k">public</span> <span class="n">IActionResult</span> <span class="nf">AdultSection</span><span class="p">()</span> <span class="p">=&gt;</span> <span class="nf">View</span><span class="p">();</span> <span class="p">}</span> </code></pre> </div> <h2> Best Practices for Secure Auth </h2> <ul> <li> <strong>Use HTTPS Everywhere</strong>: Enforce <code>app.UseHttpsRedirection()</code>.</li> <li> <strong>Short‑Lived Tokens &amp; Refresh</strong>: Limit exposure if a token is stolen.</li> <li> <strong>Secure Cookie Flags</strong>: <code>HttpOnly</code>, <code>Secure</code>, <code>SameSite=Strict</code>.</li> <li> <strong>Validate Inputs &amp; Claims</strong>: Never trust unvalidated data in claims.</li> <li> <strong>Centralize Policy Definitions</strong>: Keep auth rules in one place.</li> <li> <strong>Monitor &amp; Log</strong>: Track failed logins, token validation errors, and policy denials.</li> </ul> <h2> Conclusion </h2> <p>Secure authentication and authorization are critical for any modern web application. ASP.NET Core 9.0’s new APIs make it easier to configure robust auth flows, from JWT to cookie schemes, plus powerful policy‑based authorization. By following the examples and best practices above, you can build applications that are both secure and maintainable.</p> <p>Feel free to leave questions or feedback in the comments below—happy coding!</p> csharp dotnet security api Deploying .NET 8 Minimal APIs to Azure with CI/CD: A Step-by-Step Guide Leandro Veiga Wed, 16 Apr 2025 22:13:09 +0000 https://dev.to/leandroveiga/deploying-net-8-minimal-apis-to-azure-with-cicd-a-step-by-step-guide-2a4o https://dev.to/leandroveiga/deploying-net-8-minimal-apis-to-azure-with-cicd-a-step-by-step-guide-2a4o <p>In this post, we'll explore how to deploy your .NET 8 Minimal APIs to Azure using CI/CD pipelines. Leveraging automated deployment tools like GitHub Actions or Azure Pipelines can streamline your release process, reduce manual errors, and allow you to focus on building great applications.</p> <h2> Table of Contents </h2> <ul> <li>Introduction</li> <li>Prerequisites</li> <li>Preparing Your .NET 8 Minimal API Project</li> <li> Setting Up CI/CD Pipelines <ul> <li>Using GitHub Actions</li> <li>Using Azure Pipelines</li> </ul> </li> <li>Best Practices for CI/CD Deployments</li> <li>Conclusion</li> </ul> <h2> Introduction </h2> <p>Deploying your .NET 8 Minimal APIs to Azure is a critical step in delivering your application to users. Automating this process with CI/CD pipelines can significantly enhance your development workflow. In this guide, we will walk through setting up a CI/CD pipeline using both GitHub Actions and Azure Pipelines, providing code examples and best practices along the way.</p> <h2> Prerequisites </h2> <p>Before getting started, ensure you have the following:</p> <ul> <li>A working .NET 8 Minimal API project.</li> <li>An active Azure account.</li> <li>An Azure App Service for hosting your API.</li> <li>A GitHub repository for your project (if using GitHub Actions) or Azure DevOps account (if using Azure Pipelines).</li> </ul> <h2> Preparing Your .NET 8 Minimal API Project </h2> <p>For demonstration, let's assume your project structure is similar to the following:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>MyMinimalApi/ ├── Program.cs ├── MyMinimalApi.csproj └── appsettings.json </code></pre> </div> <p>In your <code>Program.cs</code>, you might have something like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="kt">var</span> <span class="n">builder</span> <span class="p">=</span> <span class="n">WebApplication</span><span class="p">.</span><span class="nf">CreateBuilder</span><span class="p">(</span><span class="n">args</span><span class="p">);</span> <span class="n">builder</span><span class="p">.</span><span class="n">Services</span><span class="p">.</span><span class="nf">AddEndpointsApiExplorer</span><span class="p">();</span> <span class="n">builder</span><span class="p">.</span><span class="n">Services</span><span class="p">.</span><span class="nf">AddSwaggerGen</span><span class="p">();</span> <span class="kt">var</span> <span class="n">app</span> <span class="p">=</span> <span class="n">builder</span><span class="p">.</span><span class="nf">Build</span><span class="p">();</span> <span class="k">if</span> <span class="p">(</span><span class="n">app</span><span class="p">.</span><span class="n">Environment</span><span class="p">.</span><span class="nf">IsDevelopment</span><span class="p">())</span> <span class="p">{</span> <span class="n">app</span><span class="p">.</span><span class="nf">UseSwagger</span><span class="p">();</span> <span class="n">app</span><span class="p">.</span><span class="nf">UseSwaggerUI</span><span class="p">();</span> <span class="p">}</span> <span class="n">app</span><span class="p">.</span><span class="nf">MapGet</span><span class="p">(</span><span class="s">"/"</span><span class="p">,</span> <span class="p">()</span> <span class="p">=&gt;</span> <span class="s">"Hello from .NET 8 Minimal API!"</span><span class="p">);</span> <span class="n">app</span><span class="p">.</span><span class="nf">Run</span><span class="p">();</span> </code></pre> </div> <p>Make sure your API is ready for production by configuring settings such as environment variables, logging, and error handling.</p> <h2> Setting Up CI/CD Pipelines </h2> <h3> Using GitHub Actions </h3> <p>GitHub Actions provides an easy way to automate your deployment process. Create a workflow file in your repository at <code>.github/workflows/azure-deploy.yml</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">name</span><span class="pi">:</span> <span class="s">Deploy to Azure</span> <span class="na">on</span><span class="pi">:</span> <span class="na">push</span><span class="pi">:</span> <span class="na">branches</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">main</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">build-and-deploy</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Checkout code</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v3</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Setup .NET</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/setup-dotnet@v3</span> <span class="na">with</span><span class="pi">:</span> <span class="na">dotnet-version</span><span class="pi">:</span> <span class="s1">'</span><span class="s">8.0.x'</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Restore dependencies</span> <span class="na">run</span><span class="pi">:</span> <span class="s">dotnet restore</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Build</span> <span class="na">run</span><span class="pi">:</span> <span class="s">dotnet build --configuration Release --no-restore</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Publish</span> <span class="na">run</span><span class="pi">:</span> <span class="s">dotnet publish -c Release -o ./publish --no-build</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Deploy to Azure Web App</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">azure/webapps-deploy@v2</span> <span class="na">with</span><span class="pi">:</span> <span class="na">app-name</span><span class="pi">:</span> <span class="s">YOUR_AZURE_APP_SERVICE_NAME</span> <span class="na">publish-profile</span><span class="pi">:</span> <span class="s">${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE }}</span> <span class="na">package</span><span class="pi">:</span> <span class="s">./publish</span> </code></pre> </div> <p><strong>Explanation</strong>:</p> <ul> <li>This workflow triggers on pushes to the <code>main</code> branch.</li> <li>It checks out your repository, sets up the .NET environment, restores dependencies, builds, and publishes your project.</li> <li>Finally, it deploys the published files to your Azure Web App using a publish profile stored in GitHub Secrets.</li> </ul> <h3> Using Azure Pipelines </h3> <p>If you prefer using Azure Pipelines, create a file named <code>azure-pipelines.yml</code> in the root of your repository:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">trigger</span><span class="pi">:</span> <span class="na">branches</span><span class="pi">:</span> <span class="na">include</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">main</span> <span class="na">pool</span><span class="pi">:</span> <span class="na">vmImage</span><span class="pi">:</span> <span class="s1">'</span><span class="s">ubuntu-latest'</span> <span class="na">variables</span><span class="pi">:</span> <span class="na">buildConfiguration</span><span class="pi">:</span> <span class="s1">'</span><span class="s">Release'</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">task</span><span class="pi">:</span> <span class="s">UseDotNet@2</span> <span class="na">inputs</span><span class="pi">:</span> <span class="na">packageType</span><span class="pi">:</span> <span class="s1">'</span><span class="s">sdk'</span> <span class="na">version</span><span class="pi">:</span> <span class="s1">'</span><span class="s">8.0.x'</span> <span class="na">installationPath</span><span class="pi">:</span> <span class="s">$(Agent.ToolsDirectory)/dotnet</span> <span class="pi">-</span> <span class="na">script</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">dotnet restore</span> <span class="na">displayName</span><span class="pi">:</span> <span class="s1">'</span><span class="s">Restore</span><span class="nv"> </span><span class="s">Dependencies'</span> <span class="pi">-</span> <span class="na">script</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">dotnet build --configuration $(buildConfiguration) --no-restore</span> <span class="na">displayName</span><span class="pi">:</span> <span class="s1">'</span><span class="s">Build</span><span class="nv"> </span><span class="s">Project'</span> <span class="pi">-</span> <span class="na">script</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">dotnet publish --configuration $(buildConfiguration) -o $(Build.ArtifactStagingDirectory) --no-build</span> <span class="na">displayName</span><span class="pi">:</span> <span class="s1">'</span><span class="s">Publish</span><span class="nv"> </span><span class="s">Project'</span> <span class="pi">-</span> <span class="na">task</span><span class="pi">:</span> <span class="s">PublishBuildArtifacts@1</span> <span class="na">inputs</span><span class="pi">:</span> <span class="na">PathtoPublish</span><span class="pi">:</span> <span class="s1">'</span><span class="s">$(Build.ArtifactStagingDirectory)'</span> <span class="na">ArtifactName</span><span class="pi">:</span> <span class="s1">'</span><span class="s">drop'</span> <span class="pi">-</span> <span class="na">task</span><span class="pi">:</span> <span class="s">AzureWebApp@1</span> <span class="na">inputs</span><span class="pi">:</span> <span class="na">azureSubscription</span><span class="pi">:</span> <span class="s1">'</span><span class="s">YOUR_AZURE_SUBSCRIPTION'</span> <span class="na">appType</span><span class="pi">:</span> <span class="s1">'</span><span class="s">webApp'</span> <span class="na">appName</span><span class="pi">:</span> <span class="s1">'</span><span class="s">YOUR_AZURE_APP_SERVICE_NAME'</span> <span class="na">package</span><span class="pi">:</span> <span class="s1">'</span><span class="s">$(Build.ArtifactStagingDirectory)'</span> </code></pre> </div> <p><strong>Explanation</strong>:</p> <ul> <li>This pipeline is triggered on the <code>main</code> branch.</li> <li>It uses a hosted Ubuntu agent, restores dependencies, builds, and publishes your project.</li> <li>The built artifacts are then deployed to your Azure Web App.</li> </ul> <h2> Best Practices for CI/CD Deployments </h2> <ul> <li> <strong>Automate Testing</strong>: Integrate automated tests in your pipeline to catch issues before deployment.</li> <li> <strong>Use Secrets Management</strong>: Store sensitive information such as API keys and publish profiles in secure vaults or CI/CD secret stores.</li> <li> <strong>Implement Rollbacks</strong>: Consider strategies to automatically rollback deployments if errors occur.</li> <li> <strong>Monitor Deployments</strong>: Utilize Azure Monitor and Application Insights to track the health and performance of your deployed application.</li> <li> <strong>Version Control</strong>: Tag your releases and maintain version history to facilitate easier deployments and troubleshooting.</li> </ul> <h2> Conclusion </h2> <p>Automating the deployment of your .NET 8 Minimal APIs with CI/CD pipelines on Azure can significantly enhance your development workflow and ensure reliable delivery of your applications. Whether you choose GitHub Actions or Azure Pipelines, using the best practices from this guide will help you build a robust and secure deployment process.</p> <p>Happy coding, and feel free to share your thoughts or questions in the comments below!</p> csharp dotnet tutorial api Building RESTful APIs with .NET 8: Essential Best Practices for Performance and Security Leandro Veiga Tue, 08 Apr 2025 18:00:00 +0000 https://dev.to/leandroveiga/building-restful-apis-with-net-8-essential-best-practices-for-performance-and-security-519l https://dev.to/leandroveiga/building-restful-apis-with-net-8-essential-best-practices-for-performance-and-security-519l <p>In this guide, we will discuss how to build RESTful APIs with .NET 8 that are both high-performance and secure. Whether you’re new to API development or looking to enhance your current projects, this article walks you through the best practices, practical examples, and key strategies to create robust RESTful APIs using .NET 8.</p> <h2> Table of Contents </h2> <h2> Table of Contents </h2> <ul> <li>Introduction</li> <li>Understanding RESTful APIs in .NET 8</li> <li>Setting Up Your .NET 8 API Project</li> <li>Code Samples: Building a Simple RESTful API</li> <li>Best Practices for Performance</li> <li>Best Practices for Security</li> <li>Conclusion</li> </ul> <h2> Introduction </h2> <p>RESTful APIs are the backbone of modern web and mobile applications, allowing easy communication and data exchange across platforms. With .NET 8, developers can leverage powerful features to build APIs that are not only efficient and scalable but also secure against common threats. This article provides a comprehensive overview of techniques and practices necessary to achieve these goals.</p> <h2> Understanding RESTful APIs in .NET 8 </h2> <p>REST (Representational State Transfer) is a popular architectural style that uses standard HTTP methods for communication. In the context of .NET 8, RESTful APIs benefit from:</p> <ul> <li> <strong>Minimal API Enhancements</strong>: Simplified routing and fewer boilerplate codes.</li> <li> <strong>Integrated Middleware</strong>: Built-in support for dependency injection, authentication, and authorization.</li> <li> <strong>High Performance</strong>: Optimized for low latency and efficient resource utilization.</li> </ul> <p>Understanding these fundamentals is the first step in creating powerful RESTful services.</p> <h2> Setting Up Your .NET 8 API Project </h2> <p>To get started with building a RESTful API in .NET 8, follow these simple steps:</p> <h3> Create a New Project: </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>dotnet new web <span class="nt">-n</span> RestfulApiExample <span class="nb">cd </span>RestfulApiExample </code></pre> </div> <h3> Configure the Project: </h3> <p>Use the default setup which includes essential middleware components in <code>Program.cs</code>. We’ll build upon this structure to incorporate best practices for performance and security.</p> <h2> Code Samples: Building a Simple RESTful API </h2> <p>Below is an example of a minimal RESTful API built with .NET 8. This endpoint fetches a list of products as an example.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="k">using</span> <span class="nn">Microsoft.AspNetCore.Builder</span><span class="p">;</span> <span class="k">using</span> <span class="nn">Microsoft.Extensions.DependencyInjection</span><span class="p">;</span> <span class="k">using</span> <span class="nn">Microsoft.Extensions.Hosting</span><span class="p">;</span> <span class="kt">var</span> <span class="n">builder</span> <span class="p">=</span> <span class="n">WebApplication</span><span class="p">.</span><span class="nf">CreateBuilder</span><span class="p">(</span><span class="n">args</span><span class="p">);</span> <span class="c1">// Register services (e.g., database context, repositories, etc.)</span> <span class="n">builder</span><span class="p">.</span><span class="n">Services</span><span class="p">.</span><span class="nf">AddEndpointsApiExplorer</span><span class="p">();</span> <span class="n">builder</span><span class="p">.</span><span class="n">Services</span><span class="p">.</span><span class="nf">AddSwaggerGen</span><span class="p">();</span> <span class="kt">var</span> <span class="n">app</span> <span class="p">=</span> <span class="n">builder</span><span class="p">.</span><span class="nf">Build</span><span class="p">();</span> <span class="c1">// Enable middleware for development</span> <span class="k">if</span> <span class="p">(</span><span class="n">app</span><span class="p">.</span><span class="n">Environment</span><span class="p">.</span><span class="nf">IsDevelopment</span><span class="p">())</span> <span class="p">{</span> <span class="n">app</span><span class="p">.</span><span class="nf">UseSwagger</span><span class="p">();</span> <span class="n">app</span><span class="p">.</span><span class="nf">UseSwaggerUI</span><span class="p">();</span> <span class="p">}</span> <span class="c1">// Global middleware for error handling (optional and recommended)</span> <span class="n">app</span><span class="p">.</span><span class="nf">UseExceptionHandler</span><span class="p">(</span><span class="s">"/error"</span><span class="p">);</span> <span class="c1">// Basic GET endpoint for products</span> <span class="n">app</span><span class="p">.</span><span class="nf">MapGet</span><span class="p">(</span><span class="s">"/products"</span><span class="p">,</span> <span class="p">()</span> <span class="p">=&gt;</span> <span class="p">{</span> <span class="kt">var</span> <span class="n">products</span> <span class="p">=</span> <span class="k">new</span><span class="p">[]</span> <span class="p">{</span> <span class="k">new</span> <span class="p">{</span> <span class="n">Id</span> <span class="p">=</span> <span class="m">1</span><span class="p">,</span> <span class="n">Name</span> <span class="p">=</span> <span class="s">"Laptop"</span><span class="p">,</span> <span class="n">Price</span> <span class="p">=</span> <span class="m">999.99</span> <span class="p">},</span> <span class="k">new</span> <span class="p">{</span> <span class="n">Id</span> <span class="p">=</span> <span class="m">2</span><span class="p">,</span> <span class="n">Name</span> <span class="p">=</span> <span class="s">"Smartphone"</span><span class="p">,</span> <span class="n">Price</span> <span class="p">=</span> <span class="m">499.99</span> <span class="p">},</span> <span class="k">new</span> <span class="p">{</span> <span class="n">Id</span> <span class="p">=</span> <span class="m">3</span><span class="p">,</span> <span class="n">Name</span> <span class="p">=</span> <span class="s">"Tablet"</span><span class="p">,</span> <span class="n">Price</span> <span class="p">=</span> <span class="m">299.99</span> <span class="p">}</span> <span class="p">};</span> <span class="k">return</span> <span class="n">Results</span><span class="p">.</span><span class="nf">Ok</span><span class="p">(</span><span class="n">products</span><span class="p">);</span> <span class="p">})</span> <span class="p">.</span><span class="nf">WithName</span><span class="p">(</span><span class="s">"GetProducts"</span><span class="p">)</span> <span class="p">.</span><span class="nf">Produces</span><span class="p">(</span><span class="m">200</span><span class="p">);</span> <span class="n">app</span><span class="p">.</span><span class="nf">Run</span><span class="p">();</span> </code></pre> </div> <h3> Explanation </h3> <ul> <li> <strong>Minimal APIs</strong>: We use minimal API syntax to create cleaner and more efficient endpoints.</li> <li> <strong>Swagger Integration</strong>: Adding Swagger supports API documentation which is essential for development and debugging.</li> <li> <strong>Error Handling</strong>: Global error handling middleware improves reliability and security by avoiding unhandled exceptions.</li> </ul> <h2> Best Practices for Performance </h2> <p>To ensure your RESTful API performs optimally, consider these best practices:</p> <h3> Caching </h3> <ul> <li>Use in-memory caching or distributed caching (e.g., Redis) to reduce database calls.</li> <li>Cache frequently accessed data.</li> </ul> <h3> Asynchronous Programming </h3> <ul> <li>Make use of <code>async/await</code> to prevent thread blocking.</li> <li>Optimize I/O operations to scale under heavy loads.</li> </ul> <h3> Rate Limiting </h3> <ul> <li>Implement rate limiting to prevent abuse and ensure fair usage among clients.</li> <li>Utilize built-in middleware in .NET 8 or external libraries.</li> </ul> <h3> Profiling and Monitoring </h3> <ul> <li>Monitor your API with tools such as Application Insights, Prometheus, or ELK Stack.</li> <li>Regularly profile your application to identify performance bottlenecks.</li> </ul> <h2> Best Practices for Security </h2> <p>Securing your API is crucial. Here are some effective strategies:</p> <h3> Authentication and Authorization </h3> <ul> <li>Use robust authentication mechanisms like JWT (JSON Web Tokens) or OAuth2.</li> <li>Implement role-based access control to authorize user actions.</li> </ul> <h3> HTTPS </h3> <ul> <li>Enforce HTTPS to secure data in transit.</li> <li>Redirect HTTP requests to HTTPS using middleware.</li> </ul> <h3> Data Validation </h3> <ul> <li>Validate all input data to prevent SQL injection, XSS, and other common attacks.</li> <li>Use data annotations and custom validation logic where appropriate.</li> </ul> <h3> Error Handling </h3> <ul> <li>Avoid exposing sensitive error information in production.</li> <li>Use custom error pages and logging for monitoring purposes.</li> </ul> <h3> CORS (Cross-Origin Resource Sharing) </h3> <ul> <li>Configure CORS policies to restrict which domains can access your API.</li> <li>Protect your API from unauthorized cross-origin requests.</li> </ul> <h2> Conclusion </h2> <p>Building RESTful APIs with .NET 8 offers a modern approach to developing high-performance, secure services. By following the best practices for both performance and security, you ensure that your API not only meets business requirements but also provides a smooth and secure experience for users. Whether you’re leveraging minimal API enhancements or traditional MVC patterns, the strategies and examples provided in this guide will help you design robust, maintainable APIs.</p> <p>Happy coding, and feel free to leave your thoughts or questions in the comments below!</p> csharp dotnet tutorial beginners Integrating Azure Cognitive Services in .NET 8 Minimal APIs: A Practical AI Guide Leandro Veiga Sat, 05 Apr 2025 15:53:39 +0000 https://dev.to/leandroveiga/integrating-azure-cognitive-services-in-net-8-minimal-apis-a-practical-ai-guide-50n https://dev.to/leandroveiga/integrating-azure-cognitive-services-in-net-8-minimal-apis-a-practical-ai-guide-50n <p>In this post, we'll explore how to harness the power of Azure Cognitive Services within your .NET 8 Minimal APIs. Whether you're building applications that require sentiment analysis, language detection, or image processing, integrating Azure AI services can help elevate your application's intelligence with minimal effort.</p> <h2> Table of Contents </h2> <ul> <li> Introduction </li> <li> Why Use Azure Cognitive Services with .NET 8 Minimal APIs? </li> <li> Setting Up Your Azure Cognitive Services Environment </li> <li> Code Example: Integrating Cognitive Services into a Minimal API </li> <li> Best Practices and Usage Guidelines </li> <li> Conclusion </li> </ul> <h2> Introduction </h2> <p>Microsoft Azure Cognitive Services offer a suite of AI-powered tools that can analyze text, images, videos, and more. By integrating these services into your .NET 8 Minimal APIs, you can build smarter applications that provide advanced functionality—such as sentiment analysis or image recognition—with minimal setup.</p> <p>In this guide, we'll walk through the process of setting up Azure Cognitive Services and demonstrate how to incorporate AI features into your API endpoints.</p> <h2> Why Use Azure Cognitive Services with .NET 8 Minimal APIs? </h2> <p>.NET 8 Minimal APIs provide a lightweight and efficient way to build HTTP APIs with less boilerplate code. Combining this approach with Azure Cognitive Services gives you several advantages:</p> <ul> <li> <strong>Rapid AI Integration</strong>: Quickly add AI capabilities such as language understanding, sentiment analysis, and translation.</li> <li> <strong>Scalability</strong>: Leverage Azure's scalable cloud services to handle large volumes of data or high request rates.</li> <li> <strong>Simplicity</strong>: Use a lean codebase to implement complex AI features without overcomplicating your project.</li> <li> <strong>Flexibility</strong>: Integrate various AI models provided by Azure to tailor your solution to specific business needs.</li> </ul> <h2> Setting Up Your Azure Cognitive Services Environment </h2> <p>Before integrating Azure Cognitive Services in your .NET application, you'll need to:</p> <h3> 1. Create a Cognitive Services Resource </h3> <ul> <li>Log in to the <a href="https://portal.azure.com" rel="noopener noreferrer">Azure Portal</a>.</li> <li>Create a new <strong>Cognitive Services</strong> resource (e.g., for Text Analytics or Computer Vision).</li> <li>Note your <strong>endpoint URL</strong> and <strong>API key</strong>.</li> </ul> <h3> 2. Store the Credentials Securely </h3> <p>Use environment variables or a secure secrets store to manage your Azure Cognitive Services endpoint and API key.</p> <p>Assumed environment variables:</p> <ul> <li> <code>AZURE_COGNITIVE_ENDPOINT</code> </li> <li><code>AZURE_COGNITIVE_KEY</code></li> </ul> <h3> 3. Install Necessary NuGet Packages </h3> <p>For Text Analytics, run the following command:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>dotnet add package Azure.AI.TextAnalytics </code></pre> </div> <h2> Code Example: Integrating Cognitive Services into a Minimal API </h2> <p>Here’s a practical example showing how to use Azure Text Analytics in a .NET 8 Minimal API to perform sentiment analysis.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="k">using</span> <span class="nn">Azure</span><span class="p">;</span> <span class="k">using</span> <span class="nn">Azure.AI.TextAnalytics</span><span class="p">;</span> <span class="k">using</span> <span class="nn">Microsoft.AspNetCore.Builder</span><span class="p">;</span> <span class="k">using</span> <span class="nn">Microsoft.Extensions.DependencyInjection</span><span class="p">;</span> <span class="k">using</span> <span class="nn">Microsoft.Extensions.Hosting</span><span class="p">;</span> <span class="c1">// Create the web application builder.</span> <span class="kt">var</span> <span class="n">builder</span> <span class="p">=</span> <span class="n">WebApplication</span><span class="p">.</span><span class="nf">CreateBuilder</span><span class="p">(</span><span class="n">args</span><span class="p">);</span> <span class="c1">// Retrieve Azure Cognitive Services credentials from configuration.</span> <span class="kt">string</span> <span class="n">azureEndpoint</span> <span class="p">=</span> <span class="n">builder</span><span class="p">.</span><span class="n">Configuration</span><span class="p">[</span><span class="s">"AZURE_COGNITIVE_ENDPOINT"</span><span class="p">];</span> <span class="kt">string</span> <span class="n">azureApiKey</span> <span class="p">=</span> <span class="n">builder</span><span class="p">.</span><span class="n">Configuration</span><span class="p">[</span><span class="s">"AZURE_COGNITIVE_KEY"</span><span class="p">];</span> <span class="c1">// Register the TextAnalyticsClient as a singleton for dependency injection.</span> <span class="n">builder</span><span class="p">.</span><span class="n">Services</span><span class="p">.</span><span class="nf">AddSingleton</span><span class="p">(</span><span class="k">new</span> <span class="nf">TextAnalyticsClient</span><span class="p">(</span><span class="k">new</span> <span class="nf">Uri</span><span class="p">(</span><span class="n">azureEndpoint</span><span class="p">),</span> <span class="k">new</span> <span class="nf">AzureKeyCredential</span><span class="p">(</span><span class="n">azureApiKey</span><span class="p">)));</span> <span class="kt">var</span> <span class="n">app</span> <span class="p">=</span> <span class="n">builder</span><span class="p">.</span><span class="nf">Build</span><span class="p">();</span> <span class="c1">// Define a Minimal API endpoint for sentiment analysis.</span> <span class="n">app</span><span class="p">.</span><span class="nf">MapPost</span><span class="p">(</span><span class="s">"/analyze-sentiment"</span><span class="p">,</span> <span class="k">async</span> <span class="p">(</span><span class="n">TextAnalyticsClient</span> <span class="n">client</span><span class="p">,</span> <span class="n">SentimentRequest</span> <span class="n">sentimentRequest</span><span class="p">)</span> <span class="p">=&gt;</span> <span class="p">{</span> <span class="k">if</span> <span class="p">(</span><span class="kt">string</span><span class="p">.</span><span class="nf">IsNullOrWhiteSpace</span><span class="p">(</span><span class="n">sentimentRequest</span><span class="p">.</span><span class="n">InputText</span><span class="p">))</span> <span class="p">{</span> <span class="k">return</span> <span class="n">Results</span><span class="p">.</span><span class="nf">BadRequest</span><span class="p">(</span><span class="s">"Input text is required."</span><span class="p">);</span> <span class="p">}</span> <span class="c1">// Call Azure Cognitive Services to analyze the sentiment.</span> <span class="kt">var</span> <span class="n">response</span> <span class="p">=</span> <span class="k">await</span> <span class="n">client</span><span class="p">.</span><span class="nf">AnalyzeSentimentAsync</span><span class="p">(</span><span class="n">sentimentRequest</span><span class="p">.</span><span class="n">InputText</span><span class="p">);</span> <span class="k">return</span> <span class="n">Results</span><span class="p">.</span><span class="nf">Ok</span><span class="p">(</span><span class="n">response</span><span class="p">.</span><span class="n">Value</span><span class="p">);</span> <span class="p">});</span> <span class="n">app</span><span class="p">.</span><span class="nf">Run</span><span class="p">();</span> <span class="k">public</span> <span class="k">record</span> <span class="nc">SentimentRequest</span><span class="p">(</span><span class="kt">string</span> <span class="n">InputText</span><span class="p">);</span> </code></pre> </div> <h3> 🧠 Explanation </h3> <ul> <li> <strong>Configuration</strong>: The endpoint and key are loaded from environment variables.</li> <li> <strong>Dependency Injection</strong>: <code>TextAnalyticsClient</code> is injected directly into the endpoint.</li> <li> <strong>Endpoint Logic</strong>: <code>/analyze-sentiment</code> receives input, calls Azure's API, and returns the sentiment.</li> </ul> <p>You can expand this example to support translation, language detection, and image processing.</p> <h2> Best Practices and Usage Guidelines </h2> <h3> 🔐 Secure Your Credentials </h3> <ul> <li>Always store API keys and endpoints in environment variables or a secret manager.</li> <li>Never commit sensitive data to source control.</li> </ul> <h3> ⚠️ Error Handling and Resilience </h3> <ul> <li>Handle service failures, API timeouts, and rate limits.</li> <li>Use retry policies and circuit breakers for fault tolerance.</li> </ul> <h3> ⚡ Optimize Performance </h3> <ul> <li>Cache responses when appropriate to reduce repeated calls.</li> <li>Use <code>async/await</code> for non-blocking I/O operations.</li> </ul> <h3> 📊 Monitor and Log </h3> <ul> <li>Log request/response metadata to track usage and troubleshoot issues.</li> <li>Use Azure Monitor or Application Insights for insights.</li> </ul> <h3> ✅ Test Thoroughly </h3> <ul> <li>Write unit and integration tests to simulate real-world usage and roles.</li> <li>Validate your API under various load and error conditions.</li> </ul> <h2> Conclusion </h2> <p>Integrating Azure Cognitive Services with .NET 8 Minimal APIs enables you to build intelligent, responsive applications with minimal overhead. By following the steps and best practices outlined in this guide, you can quickly add AI functionality to your applications—whether it’s sentiment analysis, language detection, or any other cognitive feature.</p> <p>I hope you found this guide helpful and inspiring as you venture into building smarter applications. Feel free to share your experiences, ask questions, or leave feedback in the comments below!</p> <p><strong>Happy coding!</strong></p> csharp dotnet ai api Securing Multi-Tier Applications with .NET 8: Role-Based Authorization Best Practices Leandro Veiga Tue, 01 Apr 2025 15:41:48 +0000 https://dev.to/leandroveiga/securing-multi-tier-applications-with-net-8-role-based-authorization-best-practices-5h49 https://dev.to/leandroveiga/securing-multi-tier-applications-with-net-8-role-based-authorization-best-practices-5h49 <p>In today’s guide, we will explore how to implement role-based authorization in .NET 8 to secure your multi-tier applications. Effective access control is crucial for protecting sensitive resources and ensuring that only authorized users can perform specific actions. In this article, you'll discover practical examples, configuration techniques, and best practices to build secure, multi-tier systems.</p> <h2> Table of Contents </h2> <ul> <li>Introduction</li> <li>Overview of Role-Based Authorization</li> <li>Configuring Role-Based Authorization in .NET 8</li> <li> Code Examples <ul> <li>Minimal API Example</li> <li>MVC Controller Example</li> </ul> </li> <li>Best Practices for Secure Multi-Tier Applications</li> <li>Conclusion</li> </ul> <h2> Introduction </h2> <p>As applications scale and evolve, maintaining secure access across multiple tiers of an application becomes a top priority. Role-based authorization is a powerful strategy to ensure that users can only access resources or perform actions that align with their roles. This separation of concerns is essential for both security and maintainability across your backend services, APIs, and front-end layers.</p> <p>In this guide, we'll look at:</p> <ul> <li>What role-based authorization is and why it's important.</li> <li>How to configure .NET 8 to support role-based access control.</li> <li>Real-world examples using both Minimal APIs and MVC controllers.</li> <li>Best practices to ensure your multi-tier application is secure and scalable.</li> </ul> <h2> Overview of Role-Based Authorization </h2> <p>Role-based authorization controls access based on the user’s assigned roles. This approach involves:</p> <ul> <li> <strong>Defining User Roles:</strong> Determining roles such as Admin, User, Manager, etc.</li> <li> <strong>Assigning Roles:</strong> Attaching roles to user identities (typically during authentication).</li> <li> <strong>Enforcing Policies:</strong> Using policies and attributes to restrict access to resources based on roles.</li> </ul> <p>By leveraging these mechanisms, developers can prevent unauthorized access and ensure that each part of the application is accessed only by users with proper privileges.</p> <h2> Configuring Role-Based Authorization in .NET 8 </h2> <p>.NET 8 offers robust support for authentication and authorization right out of the box. To enable role-based access, you'll typically perform the following steps in your application:</p> <ol> <li> <strong>Setup Authentication:</strong> Configure an authentication scheme (e.g., cookies, JWT, etc.) that returns user claims including roles.</li> <li> <strong>Define Authorization Policies:</strong> Use the built-in authorization services to create policies that specify required roles.</li> <li> <strong>Secure Endpoints:</strong> Apply the <code>[Authorize]</code> attribute or equivalent mechanisms to restrict endpoints to specific roles.</li> </ol> <h2> Code Examples </h2> <h3> Minimal API Example </h3> <p>Below is a simple example demonstrating how to implement role-based authorization in a .NET 8 Minimal API:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="k">using</span> <span class="nn">Microsoft.AspNetCore.Authorization</span><span class="p">;</span> <span class="k">using</span> <span class="nn">System.Security.Claims</span><span class="p">;</span> <span class="kt">var</span> <span class="n">builder</span> <span class="p">=</span> <span class="n">WebApplication</span><span class="p">.</span><span class="nf">CreateBuilder</span><span class="p">(</span><span class="n">args</span><span class="p">);</span> <span class="c1">// Configure authentication (using cookie authentication as an example)</span> <span class="n">builder</span><span class="p">.</span><span class="n">Services</span><span class="p">.</span><span class="nf">AddAuthentication</span><span class="p">(</span><span class="s">"MyCookieScheme"</span><span class="p">)</span> <span class="p">.</span><span class="nf">AddCookie</span><span class="p">(</span><span class="s">"MyCookieScheme"</span><span class="p">,</span> <span class="n">options</span> <span class="p">=&gt;</span> <span class="p">{</span> <span class="n">options</span><span class="p">.</span><span class="n">LoginPath</span> <span class="p">=</span> <span class="s">"/login"</span><span class="p">;</span> <span class="p">});</span> <span class="c1">// Configure authorization with role-based policies</span> <span class="n">builder</span><span class="p">.</span><span class="n">Services</span><span class="p">.</span><span class="nf">AddAuthorization</span><span class="p">(</span><span class="n">options</span> <span class="p">=&gt;</span> <span class="p">{</span> <span class="n">options</span><span class="p">.</span><span class="nf">AddPolicy</span><span class="p">(</span><span class="s">"AdminOnly"</span><span class="p">,</span> <span class="n">policy</span> <span class="p">=&gt;</span> <span class="n">policy</span><span class="p">.</span><span class="nf">RequireRole</span><span class="p">(</span><span class="s">"Admin"</span><span class="p">));</span> <span class="n">options</span><span class="p">.</span><span class="nf">AddPolicy</span><span class="p">(</span><span class="s">"UserOnly"</span><span class="p">,</span> <span class="n">policy</span> <span class="p">=&gt;</span> <span class="n">policy</span><span class="p">.</span><span class="nf">RequireRole</span><span class="p">(</span><span class="s">"User"</span><span class="p">));</span> <span class="p">});</span> <span class="kt">var</span> <span class="n">app</span> <span class="p">=</span> <span class="n">builder</span><span class="p">.</span><span class="nf">Build</span><span class="p">();</span> <span class="n">app</span><span class="p">.</span><span class="nf">UseAuthentication</span><span class="p">();</span> <span class="n">app</span><span class="p">.</span><span class="nf">UseAuthorization</span><span class="p">();</span> <span class="c1">// Public endpoint</span> <span class="n">app</span><span class="p">.</span><span class="nf">MapGet</span><span class="p">(</span><span class="s">"/"</span><span class="p">,</span> <span class="p">(</span><span class="n">ClaimsPrincipal</span> <span class="n">user</span><span class="p">)</span> <span class="p">=&gt;</span> <span class="s">$"Hello </span><span class="p">{</span><span class="n">user</span><span class="p">.</span><span class="n">Identity</span><span class="p">?.</span><span class="n">Name</span> <span class="p">??</span> <span class="s">"Guest"</span><span class="p">}</span><span class="s">!"</span><span class="p">);</span> <span class="c1">// Endpoint restricted to Admins</span> <span class="n">app</span><span class="p">.</span><span class="nf">MapGet</span><span class="p">(</span><span class="s">"/admin"</span><span class="p">,</span> <span class="p">[</span><span class="nf">Authorize</span><span class="p">(</span><span class="n">Policy</span> <span class="p">=</span> <span class="s">"AdminOnly"</span><span class="p">)]</span> <span class="p">()</span> <span class="p">=&gt;</span> <span class="s">"Welcome, Admin!"</span><span class="p">).</span><span class="nf">RequireAuthorization</span><span class="p">(</span><span class="s">"AdminOnly"</span><span class="p">);</span> <span class="n">app</span><span class="p">.</span><span class="nf">Run</span><span class="p">();</span> </code></pre> </div> <h3> MVC Controller Example </h3> <p>For applications using MVC, role-based authorization can be applied to controllers or actions directly:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="k">using</span> <span class="nn">Microsoft.AspNetCore.Authorization</span><span class="p">;</span> <span class="k">using</span> <span class="nn">Microsoft.AspNetCore.Mvc</span><span class="p">;</span> <span class="k">namespace</span> <span class="nn">MyApp.Controllers</span> <span class="p">{</span> <span class="p">[</span><span class="n">Authorize</span><span class="p">]</span> <span class="k">public</span> <span class="k">class</span> <span class="nc">DashboardController</span> <span class="p">:</span> <span class="n">Controller</span> <span class="p">{</span> <span class="c1">// This action is accessible by all authorized users</span> <span class="k">public</span> <span class="n">IActionResult</span> <span class="nf">Index</span><span class="p">()</span> <span class="p">{</span> <span class="k">return</span> <span class="nf">View</span><span class="p">();</span> <span class="p">}</span> <span class="c1">// This action is restricted to users with the "Manager" role</span> <span class="p">[</span><span class="nf">Authorize</span><span class="p">(</span><span class="n">Roles</span> <span class="p">=</span> <span class="s">"Manager"</span><span class="p">)]</span> <span class="k">public</span> <span class="n">IActionResult</span> <span class="nf">ManagerSection</span><span class="p">()</span> <span class="p">{</span> <span class="k">return</span> <span class="nf">View</span><span class="p">();</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> Best Practices for Secure Multi-Tier Applications </h2> <h3> <strong>Design Clear Role Hierarchies</strong> </h3> <ul> <li>Define roles that align with organizational responsibilities and security requirements.</li> <li>Avoid overly granular or overlapping roles that can complicate the access control logic.</li> </ul> <h3> <strong>Centralize Authorization Policies</strong> </h3> <ul> <li>Manage role-based policies in a centralized configuration to ensure consistency.</li> <li>Update policies as the application evolves or as new roles are introduced.</li> </ul> <h3> <strong>Ensure Secure Role Assignment</strong> </h3> <ul> <li>Validate and sanitize role information during user authentication.</li> <li>Store roles securely in your identity provider or database.</li> </ul> <h3> <strong>Implement Logging and Monitoring</strong> </h3> <ul> <li>Log authorization failures to detect potential security breaches.</li> <li>Monitor role usage to understand access patterns and adjust policies accordingly.</li> </ul> <h3> <strong>Test Role-Based Scenarios</strong> </h3> <ul> <li>Implement unit and integration tests to simulate different user roles.</li> <li>Verify that access restrictions perform as expected under various conditions.</li> </ul> <h2> Conclusion </h2> <p>Securing multi-tier applications with role-based authorization in .NET 8 provides a robust framework for controlling access and protecting sensitive resources. By following the configuration steps and best practices outlined in this guide, you can build scalable, secure applications that enforce proper access control across all layers.</p> <p>I hope this article sheds light on how to implement role-based access control effectively in your .NET 8 applications. Feel free to share your experiences, ask questions, or provide feedback in the comments below!</p> <p><strong>Happy coding!</strong> 🚀</p> csharp dotnet security tutorial Implementing Rate Limiting and Throttling in .NET 8: Safeguard Your Backend Services Leandro Veiga Sat, 29 Mar 2025 00:41:52 +0000 https://dev.to/leandroveiga/implementing-rate-limiting-and-throttling-in-net-8-safeguard-your-backend-services-4ei7 https://dev.to/leandroveiga/implementing-rate-limiting-and-throttling-in-net-8-safeguard-your-backend-services-4ei7 <p>In today's post, we’re diving into rate limiting and throttling in .NET 8, a crucial technique to protect your backend services from overload. With the ever-increasing number of client requests, it's essential to incorporate mechanisms that will control traffic and ensure your ASP.NET 8 applications remain robust and responsive.</p> <h2> Table of Contents </h2> <ul> <li>Introduction</li> <li>Understanding Rate Limiting and Throttling</li> <li>Built-in Rate Limiting in .NET 8</li> <li>Coding Example: Implementing Rate Limiting</li> <li>Best Practices and Usage Scenarios</li> <li>Conclusion</li> </ul> <h2> Introduction </h2> <p>As modern applications become more complex and handle increasing volumes of traffic, managing the flow of incoming requests becomes paramount. Rate limiting and throttling are strategies designed to protect services by controlling how often clients can make requests. In .NET 8, leveraging built-in middleware and configuration options can help implement these techniques easily.</p> <p>In this guide, we will:</p> <ul> <li>Define rate limiting and throttling and explain why they are essential.</li> <li>Explore .NET 8’s built-in support for implementing these features.</li> <li>Look at real-world code examples.</li> <li>Discuss best practices for configuring your policies.</li> </ul> <h2> Understanding Rate Limiting and Throttling </h2> <p>Rate limiting restricts the number of requests a client can make within a certain time period. This helps prevent spam, DDoS attacks, and ensures that resources are shared equitably among all users. Throttling, on the other hand, manages the speed at which requests are accepted or processed.</p> <h3> Key objectives include: </h3> <ul> <li>Protecting the backend services from being inundated with requests.</li> <li>Maintaining a fair distribution of server resources.</li> <li>Improving application stability and user experience.</li> </ul> <h2> Built-in Rate Limiting in .NET 8 <a></a> </h2> <p>With .NET 8, the framework now includes built-in middleware to handle rate limiting, making it easier than ever to integrate this functionality into your applications. The middleware allows you to define various policies, such as fixed window, sliding window, and token bucket algorithms.</p> <p>Using these policies, you can customize the behavior for different endpoints or globally, ensuring flexible and powerful traffic management.</p> <h2> Coding Example: Implementing Rate Limiting </h2> <p>Below is a simple example of how to implement rate limiting in an ASP.NET 8 application using the built-in middleware.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="k">using</span> <span class="nn">Microsoft.AspNetCore.RateLimiting</span><span class="p">;</span> <span class="k">using</span> <span class="nn">System.Threading.RateLimiting</span><span class="p">;</span> <span class="kt">var</span> <span class="n">builder</span> <span class="p">=</span> <span class="n">WebApplication</span><span class="p">.</span><span class="nf">CreateBuilder</span><span class="p">(</span><span class="n">args</span><span class="p">);</span> <span class="c1">// Add Rate Limiter services with a Fixed Window policy.</span> <span class="n">builder</span><span class="p">.</span><span class="n">Services</span><span class="p">.</span><span class="nf">AddRateLimiter</span><span class="p">(</span><span class="n">options</span> <span class="p">=&gt;</span> <span class="p">{</span> <span class="c1">// Define a fixed window rate limiter policy.</span> <span class="n">options</span><span class="p">.</span><span class="nf">AddFixedWindowLimiter</span><span class="p">(</span><span class="n">policyName</span><span class="p">:</span> <span class="s">"Fixed"</span><span class="p">,</span> <span class="n">options</span> <span class="p">=&gt;</span> <span class="p">{</span> <span class="n">options</span><span class="p">.</span><span class="n">PermitLimit</span> <span class="p">=</span> <span class="m">10</span><span class="p">;</span> <span class="c1">// Maximum requests allowed per window.</span> <span class="n">options</span><span class="p">.</span><span class="n">Window</span> <span class="p">=</span> <span class="n">TimeSpan</span><span class="p">.</span><span class="nf">FromSeconds</span><span class="p">(</span><span class="m">10</span><span class="p">);</span> <span class="c1">// Time window.</span> <span class="n">options</span><span class="p">.</span><span class="n">QueueLimit</span> <span class="p">=</span> <span class="m">2</span><span class="p">;</span> <span class="c1">// Max queued requests.</span> <span class="n">options</span><span class="p">.</span><span class="n">QueueProcessingOrder</span> <span class="p">=</span> <span class="n">QueueProcessingOrder</span><span class="p">.</span><span class="n">OldestFirst</span><span class="p">;</span> <span class="p">});</span> <span class="p">});</span> <span class="kt">var</span> <span class="n">app</span> <span class="p">=</span> <span class="n">builder</span><span class="p">.</span><span class="nf">Build</span><span class="p">();</span> <span class="c1">// Use the rate limiter middleware.</span> <span class="n">app</span><span class="p">.</span><span class="nf">UseRateLimiter</span><span class="p">();</span> <span class="c1">// Example endpoint that will be rate limited.</span> <span class="n">app</span><span class="p">.</span><span class="nf">MapGet</span><span class="p">(</span><span class="s">"/"</span><span class="p">,</span> <span class="p">()</span> <span class="p">=&gt;</span> <span class="s">"Hello, World!"</span><span class="p">).</span><span class="nf">RequireRateLimiting</span><span class="p">(</span><span class="s">"Fixed"</span><span class="p">);</span> <span class="n">app</span><span class="p">.</span><span class="nf">Run</span><span class="p">();</span> </code></pre> </div> <h3> Explanation </h3> <ul> <li>The code above registers a fixed window rate limiter policy, limiting the endpoint to 10 requests every 10 seconds with a small queue buffer.</li> <li>The <code>UseRateLimiter</code> middleware is added to the application pipeline, ensuring that rate limiting rules are enforced on incoming requests.</li> <li>The endpoint <code>/</code> is configured to use the "Fixed" policy, meaning any traffic to this route will be throttled according to the defined rules.</li> </ul> <h2> Best Practices and Usage Scenarios </h2> <p>When implementing rate limiting and throttling in your applications, consider the following best practices:</p> <h3> <strong>Policy Customization</strong> </h3> <ul> <li>Define different policies for different endpoints. A public API may have stricter limits than internal endpoints.</li> <li>Consider using sliding or token bucket algorithms for smoother request flows where appropriate.</li> </ul> <h3> <strong>Graceful Degradation</strong> </h3> <ul> <li>When limits are exceeded, ensure your application returns informative error responses (e.g., HTTP 429 Too Many Requests) to help clients adjust their behavior.</li> <li>Optionally implement <code>Retry-After</code> headers.</li> </ul> <h3> <strong>Monitoring and Logging</strong> </h3> <ul> <li>Track usage metrics to identify abuse or unusual traffic patterns.</li> <li>Use logging to monitor the performance of rate-limiting policies.</li> </ul> <h3> <strong>Testing</strong> </h3> <ul> <li>Thoroughly test your rate-limiting strategy under simulated load conditions to ensure that legitimate users are not inadvertently penalized.</li> <li>Use tools like Postman or automated tests to emulate various request patterns.</li> </ul> <h3> <strong>Hybrid Approaches</strong> </h3> <ul> <li>Combine rate limiting with other security measures such as IP filtering, authentication, and CDN protections for a comprehensive defense strategy.</li> </ul> <h2> Conclusion </h2> <p>Rate limiting and throttling are essential features for maintaining the health and performance of your backend services. With .NET 8’s robust, built-in middleware, implementing these strategies has never been easier. By following the techniques and best practices discussed in this article, you can ensure that your ASP.NET applications remain resilient under heavy traffic while protecting your critical resources.</p> <p>I hope this guide empowers you to take practical steps in safeguarding your services. If you have any questions, suggestions, or would like to share your experiences, feel free to leave a comment below!</p> <p><strong>Happy coding!</strong> 🚀</p> csharp dotnet programming tutorial Enhancing HTTP Pipelines with Custom Middleware in .NET 8: Tips, Code, and Best Practices Leandro Veiga Wed, 19 Mar 2025 21:00:00 +0000 https://dev.to/leandroveiga/enhancing-http-pipelines-with-custom-middleware-in-net-8-tips-code-and-best-practices-1b73 https://dev.to/leandroveiga/enhancing-http-pipelines-with-custom-middleware-in-net-8-tips-code-and-best-practices-1b73 <p>In this post, we'll explore how to create custom middleware in .NET 8 that can optimize and enhance your HTTP request pipeline. Custom middleware offers a powerful way to inject custom logic into every request and response, allowing you to implement logging, security, performance enhancements, and much more.</p> <h2> Table of Contents </h2> <ul> <li>Introduction</li> <li>What is Middleware in .NET?</li> <li>Creating Custom Middleware in .NET 8</li> <li>Code Example: Custom Header Middleware</li> <li>Best Practices for Developing Middleware</li> <li>Usage Scenarios and Tips</li> <li>Conclusion</li> </ul> <h2> Introduction </h2> <p>Middleware in ASP.NET Core is a critical component of the request processing pipeline. By constructing a sequence of middleware, developers can handle, modify, or even terminate HTTP requests according to custom logic. With .NET 8, creating and integrating custom middleware has become more straightforward, allowing you to tailor your application's behavior to the specific needs of your project.</p> <p>In this article, we’ll cover:</p> <ul> <li>The fundamentals of middleware in .NET.</li> <li>How to build custom middleware.</li> <li>Real-world code examples.</li> <li>Best practices for middleware design and usage.</li> </ul> <h2> What is Middleware in .NET? </h2> <p>Middleware is software that sits between the incoming HTTP request and the execution of your application logic. It acts as a filter, performing tasks such as:</p> <ul> <li>Logging or monitoring requests.</li> <li>Implementing authentication and authorization.</li> <li>Modifying request or response objects.</li> <li>Handling errors and exceptions globally.</li> </ul> <p>In ASP.NET Core, every component in the request pipeline is built as middleware. Each middleware component is responsible for invoking the next middleware in the pipeline or short-circuiting the pipeline based on custom conditions.</p> <h2> Creating Custom Middleware in .NET 8 </h2> <p>Creating custom middleware in .NET 8 involves creating a class that encapsulates your desired logic and then integrating that middleware into the HTTP request pipeline. The key steps include:</p> <ul> <li>Defining a class that accepts a <code>RequestDelegate</code>.</li> <li>Implementing an asynchronous invocation method (often named <code>InvokeAsync</code>).</li> <li>Injecting your middleware using the built-in <code>UseMiddleware</code> extension method.</li> </ul> <p>Let's put these steps into practice with a sample middleware that adds a custom header to every HTTP response.</p> <h2> Code Example: Custom Header Middleware </h2> <p>Below is the code for a simple custom middleware that injects an <code>X-Custom-Header</code> with a specific value into every response:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="k">using</span> <span class="nn">System.Threading.Tasks</span><span class="p">;</span> <span class="k">using</span> <span class="nn">Microsoft.AspNetCore.Http</span><span class="p">;</span> <span class="k">public</span> <span class="k">class</span> <span class="nc">CustomHeaderMiddleware</span> <span class="p">{</span> <span class="k">private</span> <span class="k">readonly</span> <span class="n">RequestDelegate</span> <span class="n">_next</span><span class="p">;</span> <span class="k">public</span> <span class="nf">CustomHeaderMiddleware</span><span class="p">(</span><span class="n">RequestDelegate</span> <span class="n">next</span><span class="p">)</span> <span class="p">{</span> <span class="n">_next</span> <span class="p">=</span> <span class="n">next</span><span class="p">;</span> <span class="p">}</span> <span class="k">public</span> <span class="k">async</span> <span class="n">Task</span> <span class="nf">InvokeAsync</span><span class="p">(</span><span class="n">HttpContext</span> <span class="n">context</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// Before invoking the next middleware, you can inspect or modify the request.</span> <span class="c1">// For example, add a custom header to the response.</span> <span class="n">context</span><span class="p">.</span><span class="n">Response</span><span class="p">.</span><span class="nf">OnStarting</span><span class="p">(()</span> <span class="p">=&gt;</span> <span class="p">{</span> <span class="n">context</span><span class="p">.</span><span class="n">Response</span><span class="p">.</span><span class="n">Headers</span><span class="p">.</span><span class="nf">Add</span><span class="p">(</span><span class="s">"X-Custom-Header"</span><span class="p">,</span> <span class="s">"MiddlewareExample"</span><span class="p">);</span> <span class="k">return</span> <span class="n">Task</span><span class="p">.</span><span class="n">CompletedTask</span><span class="p">;</span> <span class="p">});</span> <span class="c1">// Call the next middleware in the pipeline.</span> <span class="k">await</span> <span class="nf">_next</span><span class="p">(</span><span class="n">context</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h3> Integrating the Middleware </h3> <p>To integrate the custom middleware, use the <code>UseMiddleware&lt;T&gt;()</code> extension method in your <code>Program.cs</code> or <code>Startup.cs</code> file:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="kt">var</span> <span class="n">builder</span> <span class="p">=</span> <span class="n">WebApplication</span><span class="p">.</span><span class="nf">CreateBuilder</span><span class="p">(</span><span class="n">args</span><span class="p">);</span> <span class="kt">var</span> <span class="n">app</span> <span class="p">=</span> <span class="n">builder</span><span class="p">.</span><span class="nf">Build</span><span class="p">();</span> <span class="c1">// Register the custom middleware</span> <span class="n">app</span><span class="p">.</span><span class="n">UseMiddleware</span><span class="p">&lt;</span><span class="n">CustomHeaderMiddleware</span><span class="p">&gt;();</span> <span class="n">app</span><span class="p">.</span><span class="nf">MapGet</span><span class="p">(</span><span class="s">"/"</span><span class="p">,</span> <span class="p">()</span> <span class="p">=&gt;</span> <span class="s">"Hello from .NET 8 with Custom Middleware!"</span><span class="p">);</span> <span class="n">app</span><span class="p">.</span><span class="nf">Run</span><span class="p">();</span> </code></pre> </div> <p>In this example, every HTTP response generated by your application will include the <code>X-Custom-Header</code> header with its configured value.</p> <h2> Best Practices for Developing Middleware </h2> <p>When developing custom middleware in .NET 8, consider the following best practices:</p> <ul> <li> <strong>Keep It Focused</strong>: Design middleware to perform a single responsibility rather than consolidating multiple concerns. This simplifies debugging and future enhancements.</li> <li> <strong>Leverage Dependency Injection (DI)</strong>: If your middleware requires additional services, use constructor injection to access them seamlessly.</li> <li> <strong>Asynchronous Programming</strong>: Always use asynchronous programming patterns (<code>async/await</code>) to ensure that your middleware scales well under load.</li> <li> <strong>Error Handling</strong>: Integrate with global exception handling middleware or include robust error handling within your middleware to prevent unhandled exceptions.</li> <li> <strong>Short-Circuiting When Necessary</strong>: If the middleware logic determines that the request should not proceed further (e.g., unauthorized access), use short-circuiting to return an appropriate response immediately.</li> </ul> <h2> Usage Scenarios and Tips </h2> <p>Custom middleware can be applied in many scenarios:</p> <ul> <li> <strong>Logging and Monitoring</strong>: Record request details for auditing or performance analysis.</li> <li> <strong>Security Enhancements</strong>: Implement rate limiting, IP filtering, or add custom security headers.</li> <li> <strong>Performance Optimizations</strong>: Cache results or bypass expensive computations for static content.</li> <li> <strong>Content Transformation</strong>: Modify request payloads or response bodies before further processing.</li> </ul> <p>Remember to order your middleware appropriately in the pipeline, as the sequence can influence how requests and responses are processed.</p> <h2> Conclusion </h2> <p>Custom middleware in .NET 8 opens up a realm of possibilities to enhance the HTTP request pipeline with your specialized logic. By following the best practices and coding patterns discussed in this guide, you can build robust, maintainable, and scalable middleware to address various challenges in your application.</p> <p>I hope this post helps you understand how to create and use custom middleware effectively. Feel free to share your thoughts, ask questions, or provide feedback in the comments below!</p> <p><strong>Happy coding!</strong></p> dotnet csharp programming tutorial Optimizing .NET 8 Minimal APIs for Cloud-Native Microservices: Docker & Kubernetes Best Practices Leandro Veiga Wed, 19 Mar 2025 00:35:12 +0000 https://dev.to/leandroveiga/optimizing-net-8-minimal-apis-for-cloud-native-microservices-docker-kubernetes-best-practices-24f9 https://dev.to/leandroveiga/optimizing-net-8-minimal-apis-for-cloud-native-microservices-docker-kubernetes-best-practices-24f9 <p>In today’s digital world, microservices and cloud-native architectures are becoming the backbone of scalable systems. With .NET 8 and its minimal API capabilities, you can build lean, efficient APIs that perform well in containerized environments on Kubernetes or Docker. In this post, we will explore best practices, provide code examples, and share tips for optimizing your minimal APIs.</p> <h2> Table of Contents </h2> <ul> <li>Introduction</li> <li>Understanding Minimal APIs in .NET 8</li> <li>Optimization Strategies for Cloud-Native Environments</li> <li>Containerizing Your .NET 8 API with Docker</li> <li>Deploying on Kubernetes</li> <li>Best Practices for Cloud-Native Minimal APIs</li> <li>Conclusion</li> </ul> <h2> Introduction </h2> <p>With the rise of microservices, developing lightweight, high-performance APIs has become essential. .NET 8’s minimal APIs help reduce boilerplate while delivering blazing-fast startup times. However, optimizing these APIs for cloud-native environments such as Docker and Kubernetes requires additional considerations. This guide is aimed at developers working with microservices and those embracing a cloud-native approach.</p> <h2> Understanding Minimal APIs in .NET 8 </h2> <p>Minimal APIs in .NET 8 simplify the process of building Web APIs by eliminating unnecessary complexity. Instead of relying on large controllers and numerous configuration files, you can configure your endpoints in a single file.</p> <h3> Basic Example </h3> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="k">using</span> <span class="nn">Microsoft.AspNetCore.Builder</span><span class="p">;</span> <span class="k">using</span> <span class="nn">Microsoft.AspNetCore.Http</span><span class="p">;</span> <span class="k">using</span> <span class="nn">Microsoft.Extensions.Hosting</span><span class="p">;</span> <span class="kt">var</span> <span class="n">builder</span> <span class="p">=</span> <span class="n">WebApplication</span><span class="p">.</span><span class="nf">CreateBuilder</span><span class="p">(</span><span class="n">args</span><span class="p">);</span> <span class="kt">var</span> <span class="n">app</span> <span class="p">=</span> <span class="n">builder</span><span class="p">.</span><span class="nf">Build</span><span class="p">();</span> <span class="n">app</span><span class="p">.</span><span class="nf">MapGet</span><span class="p">(</span><span class="s">"/"</span><span class="p">,</span> <span class="p">()</span> <span class="p">=&gt;</span> <span class="s">"Hello, .NET 8 Minimal API!"</span><span class="p">);</span> <span class="n">app</span><span class="p">.</span><span class="nf">MapGet</span><span class="p">(</span><span class="s">"/weather/{city}"</span><span class="p">,</span> <span class="p">(</span><span class="kt">string</span> <span class="n">city</span><span class="p">)</span> <span class="p">=&gt;</span> <span class="p">{</span> <span class="k">return</span> <span class="s">$"The weather in </span><span class="p">{</span><span class="n">city</span><span class="p">}</span><span class="s"> is sunny!"</span><span class="p">;</span> <span class="p">});</span> <span class="n">app</span><span class="p">.</span><span class="nf">Run</span><span class="p">();</span> </code></pre> </div> <p>This streamlined approach reduces overhead and is perfect for microservice scenarios.</p> <h2> Optimization Strategies for Cloud-Native Environments </h2> <p>Optimizing your minimal APIs for cloud deployment involves several strategies:</p> <h3> Performance Tuning: </h3> <ul> <li>Enable ahead-of-time (AOT) compilation to reduce startup times.</li> <li>Utilize asynchronous programming to enhance throughput.</li> <li>Use caching strategies (memory cache, distributed cache) for frequently requested data.</li> </ul> <h3> Observability &amp; Logging: </h3> <ul> <li>Integrate logging frameworks like Serilog.</li> <li>Utilize distributed tracing and monitoring (e.g., Prometheus, Grafana).</li> </ul> <h3> Configuration &amp; Security: </h3> <ul> <li>Externalize configurations using environment variables.</li> <li>Use API gateways or service meshes for security and routing.</li> </ul> <h3> Scalability: </h3> <ul> <li>Implement rate limiting and circuit breaker patterns.</li> <li>Design your architecture for horizontal scaling.</li> </ul> <h2> Containerizing Your .NET 8 API with Docker </h2> <p>To deploy your API to a cloud-native environment, containerization is a crucial step.</p> <h3> Dockerfile Example </h3> <div class="highlight js-code-highlight"> <pre class="highlight docker"><code><span class="c"># Use the official .NET 8 SDK image to build the app.</span> <span class="k">FROM</span><span class="w"> </span><span class="s">mcr.microsoft.com/dotnet/sdk:8.0</span><span class="w"> </span><span class="k">AS</span><span class="w"> </span><span class="s">build</span> <span class="k">WORKDIR</span><span class="s"> /src</span> <span class="c"># Copy the project files and restore dependencies.</span> <span class="k">COPY</span><span class="s"> *.csproj ./</span> <span class="k">RUN </span>dotnet restore <span class="c"># Copy the rest of the source code and publish the app.</span> <span class="k">COPY</span><span class="s"> . ./</span> <span class="k">RUN </span>dotnet publish <span class="nt">-c</span> Release <span class="nt">-o</span> /app/publish <span class="c"># Use the official .NET 8 runtime image.</span> <span class="k">FROM</span><span class="s"> mcr.microsoft.com/dotnet/aspnet:8.0</span> <span class="k">WORKDIR</span><span class="s"> /app</span> <span class="k">COPY</span><span class="s"> --from=build /app/publish .</span> <span class="k">ENTRYPOINT</span><span class="s"> ["dotnet", "YourApiProjectName.dll"]</span> </code></pre> </div> <h3> Explanation </h3> <ul> <li> <strong>Multi-stage Build:</strong> The first stage builds and publishes the application, while the second stage packages it into a lightweight runtime image.</li> <li> <strong>Port Exposure:</strong> Ensure your application listens to the correct port (configured via environment variables or code).</li> </ul> <h2> Deploying on Kubernetes </h2> <p>Once your API is containerized, you can deploy it to Kubernetes for robust orchestration and scaling.</p> <h3> Kubernetes Deployment Manifest </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Deployment</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">dotnet-minimal-api</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">replicas</span><span class="pi">:</span> <span class="m">3</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">dotnet-minimal-api</span> <span class="na">template</span><span class="pi">:</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">dotnet-minimal-api</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">dotnet-minimal-api</span> <span class="na">image</span><span class="pi">:</span> <span class="s">yourdockerhubusername/yourapiimage:latest</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="m">80</span> <span class="na">env</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">ASPNETCORE_ENVIRONMENT</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Production"</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Service</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">dotnet-minimal-api-service</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">type</span><span class="pi">:</span> <span class="s">LoadBalancer</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">port</span><span class="pi">:</span> <span class="m">80</span> <span class="na">targetPort</span><span class="pi">:</span> <span class="m">80</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">dotnet-minimal-api</span> </code></pre> </div> <h3> Explanation </h3> <ul> <li> <strong>Deployment:</strong> Defines a deployment with 3 replicas for high availability.</li> <li> <strong>Service:</strong> A LoadBalancer service to expose the API externally while balancing the traffic.</li> </ul> <h2> Best Practices for Cloud-Native Minimal APIs </h2> <p>To get the most out of your cloud-native minimal APIs on .NET 8, consider the following best practices:</p> <h3> Embrace Asynchronous Programming: </h3> <ul> <li>Use <code>async/await</code> patterns throughout your API to exploit the benefits of non-blocking I/O.</li> </ul> <h3> Externalize Configuration: </h3> <ul> <li>Store configuration in external sources (e.g., Kubernetes ConfigMaps, Azure App Configuration) to avoid hard-coded settings.</li> </ul> <h3> Implement Resilience Patterns: </h3> <ul> <li>Leverage libraries such as Polly for retries, circuit breaking, and fallback mechanisms.</li> </ul> <h3> Optimize Startup Time: </h3> <ul> <li>Utilize minimal dependencies and consider AOT compilation where applicable.</li> </ul> <h3> Focus on Security: </h3> <ul> <li>Secure endpoints with proper authentication and authorization.</li> <li>Use HTTPS, token validation, and API gateways.</li> </ul> <h3> Monitoring &amp; Logging: </h3> <ul> <li>Continuously monitor your API performance and log relevant metrics.</li> <li>Utilize cloud-native tools for real-time insights.</li> </ul> <h2> Conclusion </h2> <p>Optimizing .NET 8 Minimal APIs for cloud-native environments involves more than just code improvements. Containerization with Docker and deployment on Kubernetes play a crucial role in scalability and resilience. By using the strategies and practices outlined in this post, you can build highly efficient and cloud-optimized microservices.</p> <p>For more insights, stay tuned for additional content on microservices development and best practices!</p> dotnet csharp api cloud Achieving Zero Downtime Deployment with YARP: Blue-Green and Canary Strategies Leandro Veiga Mon, 10 Mar 2025 19:00:00 +0000 https://dev.to/leandroveiga/achieving-zero-downtime-deployment-with-yarp-blue-green-and-canary-strategies-ele https://dev.to/leandroveiga/achieving-zero-downtime-deployment-with-yarp-blue-green-and-canary-strategies-ele <p>Zero downtime deployments are critical for systems that demand high availability. In this article, we’ll explore how to use YARP (Yet Another Reverse Proxy) to achieve deployments with no downtime by implementing strategies like blue-green deployments and canary releases. We’ll cover practical code examples, configuration setups, and best practices for a smooth rollout.</p> <h2> Table of Contents </h2> <ol> <li>Introduction</li> <li>Why Zero Downtime Deployments?</li> <li>Understanding YARP</li> <li> Blue-Green Deployment with YARP <ul> <li>Configuration Example</li> </ul> </li> <li> Canary Releases with YARP <ul> <li>Configuration Example</li> </ul> </li> <li>Best Practices</li> <li>Conclusion</li> <li>References</li> </ol> <h2> Introduction </h2> <p>Continuous deployments are crucial in today's fast-paced tech environment. One of the biggest challenges is updating your application without affecting your users. By combining the power of YARP with deployment strategies like blue-green and canary releases, you can deploy new versions seamlessly and ensure zero downtime for your users.</p> <p>This article will walk you through the step-by-step process to set up these deployment techniques using YARP, demonstrating the configurations and code needed to make your deployments both safe and efficient.</p> <h2> Why Zero Downtime Deployments? </h2> <p>Zero downtime deployments allow you to:</p> <ul> <li>Roll out updates without interrupting service.</li> <li>Minimize risk by controlling exposure of new changes.</li> <li>Ensure a smooth user experience, as the transition between versions is virtually invisible to end users.</li> </ul> <h2> Understanding YARP </h2> <p>YARP (Yet Another Reverse Proxy) is an open-source project by Microsoft that enables you to build high-performance reverse proxies. With its flexible configuration system, YARP can be used to implement complex routing scenarios, making it ideal for advanced deployment strategies such as blue-green deployments and canary releases.</p> <h2> Blue-Green Deployment with YARP <a></a> </h2> <p>Blue-green deployment is a technique where two identical environments (blue and green) are maintained. One environment is live (blue) while the other (green) is updated. Once the new version (green) is fully tested, traffic is switched over from blue to green with no downtime.</p> <h3> Configuration Example </h3> <p>Assume you have two clusters in your configuration—one for blue and one for green. You can switch traffic between them by changing the route’s cluster mapping.</p> <h4> appsettings.json (Initial Configuration) </h4> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"ReverseProxy"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Routes"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"RouteId"</span><span class="p">:</span><span class="w"> </span><span class="s2">"blueGreenRoute"</span><span class="p">,</span><span class="w"> </span><span class="nl">"ClusterId"</span><span class="p">:</span><span class="w"> </span><span class="s2">"blueCluster"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Match"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Path"</span><span class="p">:</span><span class="w"> </span><span class="s2">"/api/{**catch-all}"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"Clusters"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"blueCluster"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Destinations"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"blueDestination"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Address"</span><span class="p">:</span><span class="w"> </span><span class="s2">"https://blue.example.com/"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"greenCluster"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Destinations"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"greenDestination"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Address"</span><span class="p">:</span><span class="w"> </span><span class="s2">"https://green.example.com/"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h4> Switching to Green Environment </h4> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"ReverseProxy"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Routes"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"RouteId"</span><span class="p">:</span><span class="w"> </span><span class="s2">"blueGreenRoute"</span><span class="p">,</span><span class="w"> </span><span class="nl">"ClusterId"</span><span class="p">:</span><span class="w"> </span><span class="s2">"greenCluster"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Match"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Path"</span><span class="p">:</span><span class="w"> </span><span class="s2">"/api/{**catch-all}"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>This switch, when executed properly, ensures that your application is updated without impacting user experience.</p> <h2> Canary Releases with YARP </h2> <p>Canary releases involve rolling out new versions to a small subset of users before a full-scale deployment. This approach allows you to monitor the new release's performance and stability in a controlled environment.</p> <h3> Configuration Example <a></a> </h3> <p>YARP’s flexible routing allows you to set up canary releases by splitting traffic between two clusters. You might direct 90% of traffic to the stable version and 10% to the new version.</p> <h4> appsettings.json (Canary Release) </h4> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"ReverseProxy"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Routes"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"RouteId"</span><span class="p">:</span><span class="w"> </span><span class="s2">"canaryRoute"</span><span class="p">,</span><span class="w"> </span><span class="nl">"ClusterId"</span><span class="p">:</span><span class="w"> </span><span class="s2">"defaultCluster"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Match"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Path"</span><span class="p">:</span><span class="w"> </span><span class="s2">"/api/{**catch-all}"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"Clusters"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"defaultCluster"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"LoadBalancingPolicy"</span><span class="p">:</span><span class="w"> </span><span class="s2">"CookieSticky"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Destinations"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"stableVersion"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Address"</span><span class="p">:</span><span class="w"> </span><span class="s2">"https://stable.example.com/"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"canaryVersion"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Address"</span><span class="p">:</span><span class="w"> </span><span class="s2">"https://canary.example.com/"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Metadata"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Weight"</span><span class="p">:</span><span class="w"> </span><span class="s2">"10"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>In this configuration, you can adjust the weights to control how much traffic flows to each destination. For example, setting a higher weight for the stable version ensures that most traffic goes there while the canary version only gets a small percentage for testing.</p> <h2> Best Practices </h2> <p>To successfully implement zero downtime deployments with YARP, consider the following best practices:</p> <h3> Health Checks and Monitoring </h3> <ul> <li>Integrate health monitoring for each destination. YARP can be configured to automatically remove unhealthy destinations from the rotation.</li> </ul> <h3> Automated Rollbacks </h3> <ul> <li>Configure your deployment pipeline for automated rollback procedures in case the canary or blue-green switch indicates issues.</li> </ul> <h3> Incremental Traffic Shifting </h3> <ul> <li>With canary releases, slowly increase the percentage of traffic to the new version as confidence grows.</li> </ul> <h3> Consistent Configuration Management </h3> <ul> <li>Use configuration management tools or service discovery mechanisms to keep your YARP configurations consistent across deployments.</li> </ul> <h3> Secure Your Endpoints </h3> <ul> <li>Ensure all endpoints use HTTPS and have proper authentication and authorization mechanisms in place.</li> </ul> <h2> Conclusion </h2> <p>Achieving zero downtime deployments is a vital aspect of modern application management. YARP offers incredible flexibility to implement deployment strategies like blue-green deployments and canary releases, reducing risk and ensuring a seamless user experience. By leveraging these configurations and best practices, you can confidently deploy new versions of your applications without interruptions.</p> <p>Feel free to experiment with these configurations and adjust the strategies as needed for your unique architecture and requirements. Happy deploying!</p> <h2> References </h2> <ul> <li><a href="https://github.com/microsoft/reverse-proxy" rel="noopener noreferrer">YARP GitHub Repository</a></li> <li><a href="https://microsoft.github.io/reverse-proxy/" rel="noopener noreferrer">YARP Documentation</a></li> <li><a href="https://example.com/blue-green-deployments" rel="noopener noreferrer">Implementing Blue-Green Deployments</a></li> <li><a href="https://example.com/canary-releases" rel="noopener noreferrer">Canary Releases</a></li> </ul> webdev csharp dotnet programming