DEV Community: Mannawar Hussain

FHIR crud app using aspnet core 8.0 and sql server

Mannawar Hussain — Sat, 13 Jul 2024 11:35:58 +0000

Hi EveryOne!
I would like to discuss today, the crud operation for the patient resource using HL7 R4 model using aspnet core and saving of patient data on sql server using EF Core. For modelling of data i have used this package.
Ref- https://www.nuget.org/packages/Hl7.Fhir.R4, https://www.hl7.org/fhir/resource.html#identification
Here each resource is uniquely identified by the id. I have given Id as database generated, we dont need to specifically specify that while sending request. So basically, this is my PatientEntity class.

   public class PatientEntity
  {
      [Key]
      [DatabaseGenerated(DatabaseGeneratedOption.Identity)]
      public string Id { get; set; } = Guid.NewGuid().ToString();


      [Required]
      public string FamilyName { get; set; } = string.Empty;

      [Required]
      public string GivenName { get; set; } = string.Empty;

      [Required]
      public string Gender { get; set; } = string.Empty;

      [Required]
      public DateTime BirthDate { get; set; } = DateTime.MinValue;

      public byte[]? PhotoData { get; set; }

      public static PatientEntity FromFhirPatient(Patient patient)
      {
          byte[]? photoData = null;
          if(patient.Photo != null && patient.Photo.Count > 0 && patient.Photo[0].Data != null)
          {
              photoData = patient.Photo[0].Data;
          }
          DateTime birthDate = patient.BirthDateElement?.ToDateTimeOffset()?.DateTime ?? DateTime.MinValue;

          return new PatientEntity
          {
              Id = patient.Id ?? Guid.NewGuid().ToString(),
              FamilyName = patient.Name.FirstOrDefault()?.Family ?? string.Empty,
              GivenName = patient.Name.FirstOrDefault()?.Given.FirstOrDefault()?? string.Empty,
              Gender = patient.Gender.HasValue ? patient.Gender.Value.ToString(): string.Empty,
              BirthDate = birthDate,
              PhotoData = photoData
          };
      }

      public Patient ToFhirPatient()
      {
          return new Patient
          {
              Id = Id,
              Name = new List<HumanName>
              {
                  new HumanName
                  {
                      Family = FamilyName,
                      Given = new List<string> { GivenName }
                  }
              },
              Gender = !string.IsNullOrEmpty(Gender) ? (AdministrativeGender)Enum.Parse(typeof(AdministrativeGender), Gender, true) : null,
              BirthDate = BirthDate.ToString("yyyy-MM-dd"),
              Photo = PhotoData != null ? new List<Attachment> { new Attachment { Data = PhotoData } } : null
          };
      }

The properties defined above are as per HL7 R4 model and then i have defined two static methods viz. FromFhirPatient(converts a Patient object from Fhir model to PatientEntity object) and ToFhirPatient(converts a PatientEntity object to a Fhir Patient object).

The details for modelling classes could be find here. we can customize accordingly.
Flag Σ means its a modifier element, and it can change interpretation of resource, and is helpful for client to search summary only from large resource of data and helps in improving efficiency, and then there is cardinality ex.(0..1) meaning this particular field can appear minimum 0 times and maximum of 1. More details for data modelling can be find here Ref- https://www.hl7.org/fhir/patient.html

The blow code is for configuring DbContext.

        public class ApplicationDbContext : DbContext
    {
        public ApplicationDbContext(DbContextOptions<ApplicationDbContext> options) : base(options) { }

        public DbSet<PatientEntity> Patients { get; set; }

        protected override void OnModelCreating(ModelBuilder modelBuilder)
        {
            base.OnModelCreating(modelBuilder);
        }
    }

The constructor here public ApplicationDbContext(DbContextOptions<ApplicationDbContext> options) : base(options) { } Here ApplicationDbContext is properly configured by Dependency injection system which helps in SOC and it helps in configuring options for DbContext which typically includes things like database connection etc inside Program.cs which i will discuss next.
base(options) passes the options parameters to the base DbContext constructor.

This property public DbSet<PatientEntity> Patients { get; set; } creates a table inside database
ModelBuilder class provides API surface for configuring a DbContext to map entities to db schema.

This is my Program class

using Hl7.Fhir.Model;
using Hl7.Fhir.Serialization;
using Microsoft.EntityFrameworkCore;
using NetCrudApp.Data;
using System.Text.Json.Serialization;

var builder = WebApplication.CreateBuilder(args);

builder.Services.AddControllers()
    .AddJsonOptions(opt =>
    {
        IList<JsonConverter> fhirConverters = opt.JsonSerializerOptions.ForFhir(ModelInfo.ModelInspector).Converters;
        IList<JsonConverter> convertersToAdd = new List<JsonConverter>(fhirConverters);
        foreach(JsonConverter fhirConverter in convertersToAdd)
        {
            opt.JsonSerializerOptions.Converters.Add(fhirConverter);
        }
        opt.JsonSerializerOptions.Encoder = System.Text.Encodings.Web.JavaScriptEncoder.UnsafeRelaxedJsonEscaping;
    });

var connectionString = builder.Configuration.GetConnectionString("DefaultConnection");
builder.Services.AddDbContext<ApplicationDbContext>(options =>
{
    options.UseSqlServer(connectionString);
});

builder.Services.AddEndpointsApiExplorer();
builder.Services.AddSwaggerGen();
builder.Services.AddHttpClient(); // added this line to converse with fhir server microsoft



var app = builder.Build();

// Configure the HTTP request pipeline.
if (app.Environment.IsDevelopment())
{
    app.UseSwagger();
    app.UseSwaggerUI();
}

app.UseHttpsRedirection();

app.UseAuthorization();

app.MapControllers();
using (var scope = app.Services.CreateScope())
{
    var dbContext = scope.ServiceProvider.GetRequiredService<ApplicationDbContext>();
    await dbContext.Database.MigrateAsync();
}

app.Run();

Here, in this line

        IList<JsonConverter> fhirConverters = opt.JsonSerializerOptions.ForFhir(ModelInfo.ModelInspector).Converters;
        IList<JsonConverter> convertersToAdd = new List<JsonConverter>(fhirConverters);
        foreach(JsonConverter fhirConverter in convertersToAdd)
        {
            opt.JsonSerializerOptions.Converters.Add(fhirConverter);
        }
        opt.JsonSerializerOptions.Encoder = System.Text.Encodings.Web.JavaScriptEncoder.UnsafeRelaxedJsonEscaping;

is required for Serialization of data, otherwise this will throw error The collection type 'Hl7.Fhir.Model.Patient' is abstract, an interface, or is read only, and could not be instantiated and populated.
Also, we need to initialize a new converter as IList<JsonConverter> convertersToAdd = new List<JsonConverter>(fhirConverters); else we will end up in modifying the original list which is not of course we want. Also, this line opt.JsonSerializerOptions.Encoder = System.Text.Encodings.Web.JavaScriptEncoder.UnsafeRelaxedJsonEscaping; allows characters that are particularly escaped like &, <, > to remain unescaped, which is useful for interoperability and readability of json output but it should be cautiously used. In summary this converter is used for serialization and deserialization of fhir model data which is of complex type and is challenging to perform deserialization for saving data on database and ** serializing** while returning response to client using native converters like NewtonSoft. Ref here - https://github.com/FirelyTeam/firely-net-sdk/issues/2583

This line

var connectionString = builder.Configuration.GetConnectionString("DefaultConnection");
builder.Services.AddDbContext<ApplicationDbContext>(options =>
{
    options.UseSqlServer(connectionString);
});

specifies the connection string for the app which is defined inside appSetting.json. For simplicity sake i have just defined the variables inside my appsettings.json as below as we are developing is using local sql server only. For azure deployment, we can configure services to manage secrets properly. appsettings.json is as below, it simply specifies the connection string and logging level, if we want more info from logging just change from warning to Information inside appsettings.json or appsettings.Development.json

{
  "Logging": {
    "LogLevel": {
      "Default": "Information",
      "Microsoft.AspNetCore": "Warning"
    }
  },
  "AllowedHosts": "*",
  "ConnectionStrings": {
    "DefaultConnection": "Server=.;Database=FhirLocalDb;Integrated Security=true;TrustServerCertificate=true;"
  }
}

Further, this line inside Program.cs

using (var scope = app.Services.CreateScope())
{
    var dbContext = scope.ServiceProvider.GetRequiredService<ApplicationDbContext>();
    await dbContext.Database.MigrateAsync();
}

is used to apply any pending migration. But before that we need to add migration and update database using below commands.

dotnet ef migrations add InitialCreate
dotnet ef database update

Next, this is my PatientController class

[Route("fhir/patient")]
[ApiController]
public class PatientResourceProvider : ControllerBase
{
    private readonly ApplicationDbContext _context;

    public PatientResourceProvider(ApplicationDbContext context)
    {
        _context = context;
    }

    [HttpGet("{id}")]
    public async Task<IActionResult> GetPatient(string id)
    {
        try
        {
            //https://stackoverflow.com/questions/62899915/converting-null-literal-or-possible-null-value-to-non-nullable-type
            PatientEntity? patientEntity = await _context.Patients.FindAsync(id);
            if(patientEntity != null)
            {
                return Ok(patientEntity);
            }else
            {
                return NotFound(new { Message = "Patient not found" });
            }

        }catch(FhirOperationException ex) when (ex.Status == System.Net.HttpStatusCode.NotFound)
        {
            return NotFound(new { Message = "Patient not found" });
        }catch(Exception ex)
        {
            return StatusCode(500, new { Message = "Ann error occurred", Details = ex.Message });
        }
    }

    [HttpPost]
    public async Task<IActionResult> CreatePatient([FromBody] Patient patient)
    {
        using var transaction = await _context.Database.BeginTransactionAsync();
        try
        {
            if (!ModelState.IsValid)
            {
                return BadRequest(ModelState);
            }
            PatientEntity patientEntity = PatientEntity.FromFhirPatient(patient);
            _context.Patients.Add(patientEntity);
            await _context.SaveChangesAsync();

            await transaction.CommitAsync();

            return CreatedAtAction(nameof(GetPatient), new { id = patientEntity.Id }, patientEntity.ToFhirPatient());
        }
        catch (Exception ex)
        {
            await transaction.RollbackAsync();  
            return StatusCode(500, new { Message = "An error occurred", Details = ex.Message });
        }
    }

    [HttpPut("{id}")]
    public async Task<IActionResult> UpdatePatient(string id, [FromBody] Patient patient)
    {
        if(id == null)
        {
            return BadRequest(new {Message = "Patient id cannot be null"});
        }

        using var transaction = await _context.Database.BeginTransactionAsync();

        try
        {
            PatientEntity? patientEntity = await _context.Patients.FindAsync(id);
            if(patientEntity == null)
            {
                return NotFound(new { Message = "Patient not found" });
            }

            if(patient.Name == null || patient.Name.Count == 0 || string.IsNullOrEmpty(patient.Name[0].Family)) {
                return BadRequest(new { Message = "Patient name is required" });
            }

            patientEntity.FamilyName = patient.Name.FirstOrDefault()?.Family ?? string.Empty; 
            patientEntity.GivenName = patient.Name.FirstOrDefault()?.Given.FirstOrDefault() ?? string.Empty;
            patientEntity.Gender = patient.Gender.HasValue ? patient.Gender.Value.ToString().ToLower() : string.Empty;
            patientEntity.BirthDate = patient.BirthDateElement?.ToDateTimeOffset()?.DateTime ?? DateTime.MinValue;

            _context.Entry(patientEntity).State = EntityState.Modified;

            await _context.SaveChangesAsync();

            await transaction.CommitAsync();

            return NoContent();
        }catch(DbUpdateConcurrencyException) 
        {
            if(!_context.Patients.Any(e => e.Id == id))
            {
                return NotFound(new { Message = "Patient not found" });
            }
            else
            {
                throw;
            }
        }catch(Exception ex)
        {
            await transaction.RollbackAsync();
            return StatusCode(500, new { Message = "An error occurred", Details = ex.Message });
        }
    }


    [HttpDelete("{id}")]
    public async Task<IActionResult> DeletePatient(string id)
    {
        using var transaction = await _context.Database.BeginTransactionAsync();
        try
        {
            var patientEntity = await _context.Patients.FindAsync(id);
            if(patientEntity == null)
            {
                return NotFound(new { Message = "Patient not found" });
            }
            _context.Patients.Remove(patientEntity);
            await _context.SaveChangesAsync();
            await transaction.CommitAsync();
            return NoContent();
        }catch(Exception ex)
        {
            await transaction.RollbackAsync();
            return StatusCode(500, new { Message = "An error occurred", Details = ex.Message });
        }
    }

    [HttpGet("search")]
    public async Task<IActionResult> SearchPatient([FromQuery] string? name = null, string? id = null)
    {
        try
        {
            IQueryable<PatientEntity> query = _context.Patients;
            if (!string.IsNullOrEmpty(name))
            {
                query = query.Where(n =>  n.FamilyName == name || n.GivenName == name);
            }
            if (!string.IsNullOrEmpty(id))
            {
                query = query.Where(p => p.Id == id);
            }

            var patients = await query.ToListAsync();
            if (!patients.Any())
            {
                return NotFound(new { Message = "No Patient found" });
            }
            return Ok(patients);
        }catch(Exception ex)
        {
            return StatusCode(500, new { Message = "An error occurred", Details = ex.Message });
        }
    }

}

Starting from Post request as below.

 [HttpPost]
 public async Task<IActionResult> CreatePatient([FromBody] Patient patient)
 {
     using var transaction = await _context.Database.BeginTransactionAsync();
     try
     {
         if (!ModelState.IsValid)
         {
             return BadRequest(ModelState);
         }
         PatientEntity patientEntity = PatientEntity.FromFhirPatient(patient);
         _context.Patients.Add(patientEntity);
         await _context.SaveChangesAsync();
         await transaction.CommitAsync();

         return CreatedAtAction(nameof(GetPatient), new { id = patientEntity.Id }, patientEntity.ToFhirPatient());
     }
     catch (Exception ex)
     {
         await transaction.RollbackAsync();  
         return StatusCode(500, new { Message = "An error occurred", Details = ex.Message });
     }
 }

We start writing defensively to catch any errors, first database transaction is started asynchronously to maintain integrity of data saved on sql server. If any parts fails here it will Rollback the transaction. Then here if (!ModelState.IsValid) { return BadRequest(ModelState); } model state is verified as per the attributes and rules defined inside Patient model class, if there is model validation error it will throw 400.

Then this line of code PatientEntity patientEntity = PatientEntity.FromFhirPatient(patient); will deserialize data from entity class in order to save data on database.

These three lines _context.Patients.Add(patientEntity); await _context.SaveChangesAsync(); await transaction.CommitAsync(); will add new patient based upon request from body and save in db and commit transaction.
If any error is thrown transactionwill be rolled back here await transaction.RollbackAsync(); and in case of any error it will be catched inside catch block. The successful post request in postman would look something like this.

Similarly, for get request here

 [HttpGet("{id}")]
 public async Task<IActionResult> GetPatient(string id)
 {
     try
     {
         PatientEntity? patientEntity = await _context.Patients.FindAsync(id);
         if(patientEntity != null)
         {
             return Ok(patientEntity);
         }else
         {
             return NotFound(new { Message = "Patient not found" });
         }

     }catch(FhirOperationException ex) when (ex.Status == System.Net.HttpStatusCode.NotFound)
     {
         return NotFound(new { Message = "Patient not found" });
     }catch(Exception ex)
     {
         return StatusCode(500, new { Message = "Ann error occurred", Details = ex.Message });
     }
 }

We first try to find a given entity using primary id here PatientEntity? patientEntity = await _context.Patients.FindAsync(id); Here PatientEntity? question mark is used in order to ward off warning CS8600 Converting null literal or possible null value to non-nullable type.

If patientEntity is not null, then a matching patientEntity is returned from db here using response as return Ok(patientEntity); else the errors are catched inside catch blocks. FhirOperationException is derived from base Exception class and it represents HL7 FHIR errors that occur during application execution.
Successful, Postman request for get request is as below.

Likewise, for put operation here

 [HttpPut("{id}")]
 public async Task<IActionResult> UpdatePatient(string id, [FromBody] Patient patient)
 {
     if(id == null)
     {
         return BadRequest(new {Message = "Patient id cannot be null"});
     }

     using var transaction = await _context.Database.BeginTransactionAsync();

     try
     {
         PatientEntity? patientEntity = await _context.Patients.FindAsync(id);
         if(patientEntity == null)
         {
             return NotFound(new { Message = "Patient not found" });
         }

         if(patient.Name == null || patient.Name.Count == 0 || string.IsNullOrEmpty(patient.Name[0].Family)) {
             return BadRequest(new { Message = "Patient name is required" });
         }

         patientEntity.FamilyName = patient.Name.FirstOrDefault()?.Family ?? string.Empty; 
         patientEntity.GivenName = patient.Name.FirstOrDefault()?.Given.FirstOrDefault() ?? string.Empty;
         patientEntity.Gender = patient.Gender.HasValue ? patient.Gender.Value.ToString().ToLower() : string.Empty;
         patientEntity.BirthDate = patient.BirthDateElement?.ToDateTimeOffset()?.DateTime ?? DateTime.MinValue;

         _context.Entry(patientEntity).State = EntityState.Modified;

         await _context.SaveChangesAsync();

         await transaction.CommitAsync();

         return NoContent();
     }catch(DbUpdateConcurrencyException) 
     {
         if(!_context.Patients.Any(e => e.Id == id))
         {
             return NotFound(new { Message = "Patient not found" });
         }
         else
         {
             throw;
         }
     }catch(Exception ex)
     {
         await transaction.RollbackAsync();
         return StatusCode(500, new { Message = "An error occurred", Details = ex.Message });
     }
 }

First, null check of id is done which is found inside query parameter of request url and then to update the given property is locked using this block as in post request to maintain data integrity inside db here using var transaction = await _context.Database.BeginTransactionAsync();
Here in this line if(patientEntity == null) { return NotFound(new { Message = "Patient not found" }); } if patient with given id is not found, then 404 not found is returned as response with its according message.
Here if(patient.Name == null || patient.Name.Count == 0 || string.IsNullOrEmpty(patient.Name[0].Family)) { return BadRequest(new { Message = "Patient name is required" }); } it validates the Patient incoming object. And it checks if Name property of patient object is null or if Name count is zero or if the family Name of the first HumanName is empty or null will throw 400 validation error as below.

Here, in these four lines FamilyName, GivenName, Gender and BirthDate are mapped to either the values provided by the client or else will be mapped to empty string. Only, BirthDate is first converted to DateTimeOffset and then to DateTime and if conversion fails or is null then it assigns DateTime.MinValue;

This line _context.Entry(patientEntity).State = EntityState.Modified; marks the patient entity to be modified and tells EF core that patientEntity has been modified and needs to be updated in database.

And another two lines here ` await _context.SaveChangesAsync();

            await transaction.CommitAsync();` save changes in database and commit transaction and returns 204 no content. Else the error is catched inside catch block.

Successful postman request is

Note- We use Patient model as method parameter here since we have to adhere to HL7 Fhir model.

Further, delete method is also locked inside database transaction as well in order to maintain data integrity

        [HttpDelete("{id}")]
        public async Task<IActionResult> DeletePatient(string id)
        {
            using var transaction = await _context.Database.BeginTransactionAsync();
            try
            {
                var patientEntity = await _context.Patients.FindAsync(id);
                if(patientEntity == null)
                {
                    return NotFound(new { Message = "Patient not found" });
                }
                _context.Patients.Remove(patientEntity);
                await _context.SaveChangesAsync();
                await transaction.CommitAsync();
                return NoContent();
            }catch(Exception ex)
            {
                await transaction.RollbackAsync();
                return StatusCode(500, new { Message = "An error occurred", Details = ex.Message });
            }
        }

First patient is searched using id and then if patient with given id is found then this line _context.Patients.Remove(patientEntity); will successfully remove patientEntity from db only when this line await _context.SaveChangesAsync(); is executed and transaction is complete and if there is any error, the transaction will be rolled back and error message is displayed accordingly.
Successful postman request for this operation is as here.

And the Search operation is by id or by name as here.

 [HttpGet("search")]
 public async Task<IActionResult> SearchPatient([FromQuery] string? name = null, string? id = null)
 {
     try
     {
         IQueryable<PatientEntity> query = _context.Patients;
         if (!string.IsNullOrEmpty(name))
         {
             query = query.Where(n =>  n.FamilyName == name || n.GivenName == name);
         }
         if (!string.IsNullOrEmpty(id))
         {
             query = query.Where(p => p.Id == id);
         }

         List<PatientEntity> patients = await query.ToListAsync();
         if (!patients.Any())
         {
             return NotFound(new { Message = "No Patient found" });
         }
         return Ok(patients);
     }catch(Exception ex)
     {
         return StatusCode(500, new { Message = "An error occurred", Details = ex.Message });
     }
 }

Since, we are directly interacting with database here that's why i have used IQueryable<PatientEntity> query = _context.Patients; PatientEntity type instead of Patient type. Then null and empty string check operation is performed for both id and name and the results are filtered using Where extension method. This line List<PatientEntity> patients = await query.ToListAsync(); results a list of patients matching the records from db and if any error it will be catched inside catch block. Successful postman request is as below.

Search by name

Search by id

You can close use/play with below github. No permission is required. In case of any issue feel free to message me i will try to respond asap!

Repo- https://github.com/mannawar/fhir-msft-sqlserver

Thanks for your time!

Refactoring..(Part 3)

Mannawar Hussain — Fri, 28 Jun 2024 14:44:13 +0000

Hi Everyone!,
Today i would like to discuss further analysis of my code in terms of time and space complexity. This is the backend code.

       [AllowAnonymous]
       [HttpPost("registergoogle")]
       public async Task<ActionResult<UserDto>> RegisterGoogle(GoogleRegisterDto googleRegisterDto)
       {

           GoogleJsonWebSignature.Payload payload;
           try
           {
               payload = await GoogleJsonWebSignature.ValidateAsync(googleRegisterDto.GoogleTokenId);
           }
           catch (Exception ex)
           {
               return Unauthorized(new { Error = "Invalid google token" });
           }
           var email = payload.Email;
           var displayName = payload.Name;
           var userName = payload.Subject;


           var existingUser = await _userManager.Users.FirstOrDefaultAsync(x => x.UserName == userName || x.Email == email || x.Us_DisplayName == displayName);


           if (existingUser != null)
           {
               if (existingUser.Email == email)
               {
                   return CreateUserObject(existingUser);
               }else
               {
                   ModelState.AddModelError("username", "Username taken");
                   return ValidationProblem();
               }
           }

           var user = new AppUser
           {
               Us_DisplayName = displayName,
               Email = email,
               UserName = userName,
               Us_Active = true,
               Us_Customer = true,
               Us_SubscriptionDays = 0
           };  

           var result = await _userManager.CreateAsync(user);

           if (result.Succeeded)
           {
               return CreateUserObject(user);
           }

           return BadRequest(result.Errors);

       }

I will discuss each portion of the code with regards to its time and space complexity.

Here payload = await GoogleJsonWebSignature.ValidateAsync(googleRegisterDto.GoogleTokenId); in this line of code O(n) can be considered as O(1) considering network communication and cryptographic validation, or may be little higher or lower depending upon network communication. But, space complexity will be O(1) as assignment variable(payload).

Coming down, var email = payload.Email; var displayName = payload.Name; var userName = payload.Subject; These lines are also assignment variable hence both time and space complexity is O(1).

Now coming to line var existingUser = await _userManager.Users.FirstOrDefaultAsync(x => x.UserName == userName || x.Email == email || x.Us_DisplayName == displayName); Time complexity could be O(n) depending upon indexing and size of the AspnetUsers, where n is the no of users inside AspnetUsers table. So, we can simply measure the performance of this piece of code using stopwatch from System.Diagnostics. Hence my code look like this

            Stopwatch stopwatch = new Stopwatch();
            stopwatch.Start();


            var existingUser = await _userManager.Users.FirstOrDefaultAsync(x => x.UserName == userName || x.Email == email || x.Us_DisplayName == displayName);

            stopwatch.Stop();
            Console.WriteLine($"Exceution time after user query returned from db: {stopwatch.ElapsedMilliseconds}");

on first call it gives me the time as below.

It gives me a total time of 1165ms.

To improve the performance, since this query is related to db and is querying three parameters viz. Username, Email and Us_DisplayName on AspnetUsers. Hence, i have good option to create an index(non-clustered). I created an index on these parameters and measured the performance again. The result is below.

Time has reduced from 1165ms to 742ms.
Hence, we can say that time complexity has reduced from O(n) to O(log(n)) for indexed look up. while space complexity is O(1) as it stores reference to single user object only.

For the below piece of code time and space complexity would be O(1) as it involves condition check and method call only.

            if (existingUser != null)
            {
                if (existingUser.Email == email)
                {
                    return CreateUserObject(existingUser);
                }else
                {
                    ModelState.AddModelError("username", "Username taken");
                    return ValidationProblem();
                }
            }

Coming down to this lien ` Stopwatch stopwatch2 = new Stopwatch();
stopwatch2.Start();

        var result = await _userManager.CreateAsync(user);
        stopwatch2.Stop();
        Console.WriteLine($"Exceution time after creating user: {stopwatch2.ElapsedMilliseconds}");`

I measured the performance again here which gives me around 314ms.

As this is database insert operation and practically it gives me 314ms, and hence time and space complexity could be considered again of O(1) considering proper indexing and db storage options.

Lastly, for this line

            if (result.Succeeded)
            {
                return CreateUserObject(user);
            }

            return BadRequest(result.Errors);

Time and space complexity would be O(1) as this is condition checking and method call only.
Conclusion- step by step debugging through the code we were able to analyze the time and space complexity of the code and we have reduced space complexity from O(n) to O(log(n)) for look up operation using indexing.

This effort is a part of giving back to the community. I hope this would be helpful to some of us. Thanks for your time!

Ref used- https://stackoverflow.com/questions/4694574/database-indexes-and-their-big-o-notation, https://learn.microsoft.com/en-us/sql/relational-databases/indexes/indexes?view=sql-server-ver16

How Authentication works (Part2)

Mannawar Hussain — Mon, 24 Jun 2024 06:54:04 +0000

Continuing from part 1, I have done some refactoring. Instead of decoding the token in the frontend and then sending all the information (such as email, displayName, and userName) over HTTPS, I now prefer to send just the token. In the backend, this token is decoded and mapped to the required parameters. This approach ensures that all security aspects are handled by our backend. HTTPS provides secure transit mechanisms, so I did not consider encrypting the token. Finally, I removed the jwt-decode package from the React app.
If you are following from my previous post, the handleGoogleSuccess method would look something like this now in front end React.

    const handleGoogleSuccess = (response: any) => {
        const tokenId = response.credential;
        dispatch(signInWithGoogle({ tokenId}))
            .unwrap()
            .then(() => {
                toast.success('Registration successful!');
                navigate('/Book');
            })
            .catch((error: any) => {
                toast.error('Some error occurred - Please try again later');
                console.error('Google sign in failed:', error);
            });

        console.log('Google sign in successful:', response);
    }

And the controller action method would look like this.

     [AllowAnonymous]
     [HttpPost("registergoogle")]
     public async Task<ActionResult<UserDto>> RegisterGoogle(GoogleRegisterDto googleRegisterDto)
     {

         GoogleJsonWebSignature.Payload payload;
         try
         {
             payload = await GoogleJsonWebSignature.ValidateAsync(googleRegisterDto.GoogleTokenId);
         }
         catch (Exception ex)
         {
             return Unauthorized(new { Error = "Invalid google token" });
         }
         var email = payload.Email;
         var displayName = payload.Name;
         var userName = payload.Subject;

         var existingUser = await _userManager.Users.FirstOrDefaultAsync(x => x.UserName == userName || x.Email == email || x.Us_DisplayName == displayName);

         if(existingUser != null)
         {
             if(existingUser.Email == email)
             {
                 return CreateUserObject(existingUser);
             }else
             {
                 ModelState.AddModelError("username", "Username taken");
                 return ValidationProblem();
             }
         }

         var user = new AppUser
         {
             Us_DisplayName = displayName,
             Email = email,
             UserName = userName,
             Us_Active = true,
             Us_Customer = true,
             Us_SubscriptionDays = 0
         };  

         var result = await _userManager.CreateAsync(user);

         if (result.Succeeded)
         {
             return CreateUserObject(user);
         }

         return BadRequest(result.Errors);

     }

Only the changes from the previous method is this line var email = payload.Email; var displayName = payload.Name; var userName = payload.Subject;
Now, i am directly mapping the required params to save in db. This smoothen the process of login instead of checking as in the previous method here if (payload.Email != googleRegisterDto.Email) { return Unauthorized(new { Error = "Email doesnt match google token" }); }
And accordingly my GoogleRegisterDto now is

    public class GoogleRegisterDto
    {
        [Required]
        public string GoogleTokenId { get; set; }
    }

Now, we need to add these lines in our Program.cs in order to avoid cross origin opener policy error and cross response embedder policy error.

app.Use(async (context, next) =>
{
    context.Response.Headers.Add("Cross-Origin-Opener-Policy", "same-origin");
    context.Response.Headers.Add("Cross-Origin-Embedder-Policy", "require-corp");
    await next();
});

By incorporating COOP and COEP headers, we can enhance security of our app by preventing potential cross origin attack. These headers help isolate our document context and ensure only trusted resources are embedded, reducing the risk of data leaks and malicious code execution.
More can be read here.

Ref1- https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Embedder-Policy

Ref2- https://web.dev/articles/why-coop-coep#:~:text=Cross%20Origin%20Opener%20Policy%20(COOP,pop%2Dup%2C%20its%20window.

There are many aspects of improving upon security aspect and the action should be proactive. Further improvement on this is implementation of refresh token and only allowing known ip's.
But, this is basic set up to get an idea of the flow and get us started. Thanks for your time again!

How authentication works (Part 1)

Mannawar Hussain — Sun, 23 Jun 2024 06:42:06 +0000

Recently, i have been developing FullStack app for a client. I would like to share the key takeaways on that as a part of giving back to the community!

Tech Stack used- React 18, Redux, Aspnet core 7, Sql-server database.

I am taking Google login/Register as an example here. But the general flow remain same for Apple Login or mobile otp login or any other login mechanism. I will summarize as well in the last as well. When the user clicks on Button as here.

                    <Box sx={{ display: 'flex', justifyContent: 'center', mb: 2 }}>
                        <GoogleAuth onSuccess={handleGoogleSuccess} onError={handleGoogleFailure} />
                    </Box>

Inside the handleGoogleSuccess method i am using jwtDecode library which breaks the jwt token into three parts and i have mapped it is as below.

  const tokenId = response.credential;
        const decodedToken = jwtDecode<GoogleTokenPayload>(tokenId);

        const email = decodedToken.email;
        const displayName = decodedToken.name;
        const username = decodedToken.sub;

  dispatch(signInWithGoogle({ tokenId, email, displayName, username }))
            .unwrap()
            .then(() => {
                toast.success('Registration successful!');
                navigate('/Book');
            })
            .catch((error: any) => {
                toast.error('Some error occurred - Please try again later');
                console.error('Google sign in failed:', error);
            });

        console.log('Google sign in successful:', response);

As we know jwt is basically made up of three parts viz. Header, payload and signature. using payload i have mapped above properties to send in backend. More details about jwt can be read in the link below.
Ref- https://jwt.io/

Next, I am using Redux for centralizing all account related stuff for user. The exact part of code which is responsible for sending payload to backend is below.

export const signInWithGoogle = createAsyncThunk<User, GoogleSignInPayLoad>(
    'account/signInWithGoogle',
    async (payload, thunkAPI) => {
        try {
            const {tokenId, email, displayName, username} = payload;
            const user = await agent.Account.registerGoogle({ GoogleTokenId: tokenId, email, displayName, username });
            localStorage.setItem('user', JSON.stringify(user));
            return user;
        } catch(error: any){
            return thunkAPI.rejectWithValue({ error: error.data });
        }
    }
)

All the three payload viz. email, displayName, username alongwith tokenId is sent via agent method as here. And if request is successful the localstorage is set with the logged in user credential as shown below.

registerGoogle: (values: any) => requests.post('account/registergoogle', values),

Just to give brief on redux store set up. Root reducer are pure functions which is defined inside ConfigureStore function as below. Reducers are pure function which takes current state and action as an argument and return a new state result.

export const store = configureStore({
    reducer: {
        book: bookSlice.reducer,
        account: accountSlice.reducer,
        subscription: basketSlice.reducer,
        progress: progressSlice.reducer
    },
})

export type RootState = ReturnType<typeof store.getState>;
export type AppDispatch = typeof store.dispatch;

export const useAppDispatch = () => useDispatch<AppDispatch>();
export const useAppSelector: TypedUseSelectorHook<RootState> = useSelector;  

export default store;

Here this line export type RootState = ReturnType<typeof store.getState>; represents the type of entire redux state in a type safe manner across the application.

This line export type AppDispatch = typeof store.dispatch; is just telling typeScript of new type AppDispatch.store.dispatch is function provided by redux that is used to dispatch action to the store. Hence, AppDispatch will be typed by the exact type of the dispatch function from redux store.

Further, coming to this line export const useAppDispatch = () => useDispatch<AppDispatch>(); useAppDispatch is custom React hook which calls internally useDispatch hook with AppDispatch type. As it is exported it can be easily used inside other modules or component by just importing it.

Lastly, this line export const useAppSelector: TypedUseSelectorHook<RootState> = useSelector; useSelector is another hook provided by React-Redux. Its function is to extract data from the redux store state in functional components. However, useSelector inherently is not typed to infer the type of redux state automatically. To achieve type safety and avoid repetitive type annotation, TypedUseSelectorHook is provided.

Then we can further easily use useAppSelector in any of our component like this as below.
import { useAppSelector } from './store';
To use this first import inside your component and then const user = useAppSelector(state => state.user); Here, we are selecting user slice from redux store and state has a type RootState.

More or redux can be read here- https://redux.js.org/tutorials/fundamentals/part-3-state-actions-reducers

Next, the request will go to backend via agent.ts method registerGoogle.

It will hit inside the controller action method as defined here.

  [AllowAnonymous]
  [HttpPost("registergoogle")]
  public async Task<ActionResult<UserDto>> RegisterGoogle(GoogleRegisterDto googleRegisterDto)
  {

      GoogleJsonWebSignature.Payload payload;
      try
      {
          payload = await GoogleJsonWebSignature.ValidateAsync(googleRegisterDto.GoogleTokenId);
      }
      catch (Exception ex)
      {
          return Unauthorized(new { Error = "Invalid google token" });
      }
      if (payload.Email != googleRegisterDto.Email)
      {
          return Unauthorized(new { Error = "Email doesnt match google token" });
      }

      var existingUser = await _userManager.Users.FirstOrDefaultAsync(x => x.UserName == googleRegisterDto.Username || x.Email == googleRegisterDto.Email || x.Us_DisplayName == googleRegisterDto.DisplayName);

      if(existingUser != null)
      {
          if(existingUser.Email == googleRegisterDto.Email)
          {
              return CreateUserObject(existingUser);
          }else
          {
              ModelState.AddModelError("username", "Username taken");
              return ValidationProblem();
          }
      }

      var user = new AppUser
      {
          Us_DisplayName = googleRegisterDto.DisplayName,
          Email = googleRegisterDto.Email,
          UserName = googleRegisterDto.Username,
          Us_Active = true,
          Us_Customer = true,
          Us_SubscriptionDays = 0
      };

      var result = await _userManager.CreateAsync(user);

      if (result.Succeeded)
      {
          return CreateUserObject(user);
      }

      return BadRequest(result.Errors);

  }

Here, since any user can register hence the attribute AllowAnonymous is used else protect the route by any mechanism or attribute like use Authorize
In the backend i am using nuget package Google.Apis.Auth and these lines

GoogleJsonWebSignature.Payload payload; try { payload = await GoogleJsonWebSignature.ValidateAsync(googleRegisterDto.GoogleTokenId); } catch (Exception ex) { return Unauthorized(new { Error = "Invalid google token" }); }

are responsible for checking googleRegisterDto.GoogleTokenId is valid and belongs to user attempting to register.

This line of code checks in database

var existingUser = await **_userManager.Users**.FirstOrDefaultAsync(x => x.UserName == googleRegisterDto.Username || x.Email == googleRegisterDto.Email || x.Us_DisplayName == googleRegisterDto.DisplayName);

if database already has the record related to the user attempting to register.

Further, down this line

if(existingUser != null) { if(existingUser.Email == googleRegisterDto.Email) { return CreateUserObject(existingUser); }

checks if existing user is not null and and the email from the payload which user sends from frontend matches then CreateUserObject function is called which is as below.

        private UserDto CreateUserObject(AppUser user)
        {
            return new UserDto
            {
                DisplayName = user.Us_DisplayName,
                Image = user.Md_ID.ToString(),
                Token = _tokenService.CreateToken(user),
                Username = user.UserName,
                FirebaseUID = user.Us_FirebaseUID,
                FirebaseToken = user.Us_FirebaseToken,
                Language = user.Us_language,
                IsSubscribed = (user.Us_SubscriptionExpiryDate != null && user.Us_SubscriptionExpiryDate > DateTime.Now)
            };
        }

Above, most crucial is this one Token = _tokenService.CreateToken(user) where the token is created for the user attempting to register whose records have already matched with the user saved in db, for further interaction with app.

Now, coming further down this line of code
var user = new AppUser { Us_DisplayName = googleRegisterDto.DisplayName, Email = googleRegisterDto.Email, UserName = googleRegisterDto.Username, Us_Active = true, Us_Customer = true, Us_SubscriptionDays = 0 };

If the user attempting to register is new and his records is not found in db. Then the above code will be executed and a user is created with role as just user. Note this line var result = await _userManager.CreateAsync(user); will create a new user and save in db.

Down this line,

if (result.Succeeded) { return `(user); }

if everything goes well till now CreateUserObject method will be called where a token will be generated for the user which will be used during his further interaction with app.

Else, bad request with corresponding error message will be displayed as here return BadRequest(result.Errors);

Note- Here i used google login, which is most common for login these days. But, the underlying logic remains same for any other login mechanism.

And finally, in the front end side in i have another reducer signout as here

reducers: { signOut: (state) => { state.user = null; localStorage.removeItem('user'); router.navigate('/'); }, setUser: (state, action) => { const claims = JSON.parse(atob(action.payload.token.split('.')[1])); const roles = claims['http://schemas.microsoft.com/ws/2008/06/identity/claims/role']; state.user = {...action.payload, roles: typeof(roles) === 'string' ? [roles] : roles}; } },

which can be triggered inside any component which is handling log out. In my case, i am using a menu component where i dispatch signout. You can use anywhere where you plan user to trigger logout. Once the dispatch(signOut()); from the component it will clear the localstorage as here localStorage.removeItem('user'); and user will be redirected to index page as here router.navigate('/');.

To summarize:
Step-1 Front end- use any mechanism or package to decode the google token. Once decoded match its part as per the model or dto's defined in backend.
Step-2 Send the request to backend via directly by axios or redux(centralized state management) using agent(which centralizes request to backend).
Step-3 Once the endpoint in backend is hit, check if token id is valid and ensure it is issued by google only. If valid, then check if user record is already present in our db or not. If present, generate a token with minimum role as a user for further communication. If not then create a user and save its info on db and then generate token with minimum role for their further interaction with app.

I hope this basic flow would be helpful to someone. Thanks for your time!

Redux combineReducer

Mannawar Hussain — Wed, 23 Sep 2020 06:25:47 +0000

I am trying to get the concept of redux and understand how its bits and pieces are functioning. I would like to share my experience of learning combine Reducers precisely here.
As per the docs of Redux there are three rules for combine Reducers.
Link here https://redux.js.org/api/combinereducers

For any action that is not recognized it must return state given to it as first argument. To elaborate this point, first we create a todos file under reducer folder. The content should be as below, this will switch action based upon action.type selected, and be sure to return default state otherwise eror Error: Reducer "todos"/"counter" returned undefined during initialization will show:

export default function todos(state = [], action) {
  switch (action.type) {
    case 'ADD_TODO':
      return state.concat([action.text])
    default:
      return state
  }
}

we next create another file called counter.js, content is as below, here we are also just incrementing and decrementing counter based upon the action.type. Here initia state is zero.:

export default function counter(state = 0, action) {
  switch (action.type) {
    case 'INCREMENT':
      return state + 1
    case 'DECREMENT':
      return state - 1
    default:
      return state
  }
}

Now we will create another file combineReducer.js inside reducer folder whose content is as below, this one will first import combineReducers from redux library. combineReducers will take an object whose value is { todos: todos, counter: counter }, as in ES6 syntax we can simply represent that as below :

import { combineReducers } from 'redux'
import todos from './todos'
import counter from './counter'

export default combineReducers({
  todos,
  counter
})

Now the most interesting part index.js or App.js where we will create store and will do dispatching action and console.logging. The content of which are as below:

import { createStore } from 'redux'
import combineReducers from './reducers/index'

const store = createStore(combineReducers)
console.log(store.getState());

//1.First argument is only returned
store.dispatch({
  type: 'ADD_TODO',
  text: 'This is the 1st argument from todos'
}, { type: 'DECREMENT'})

console.log(store.getState());

store.dispatch({
  type: 'INCREMENT'
})

console.log(store.getState());

store.dispatch({
  type: 'DECREMENT'
})

console.log(store.getState());

store.dispatch({
  type: 'DECREMENT'
})

console.log(store.getState());

In first line of code we imported createStore from redux library.
For code under commented section-1, we give two parameters to store.dispatch, but it returns only as below:

Hence the rule, it must return the state given to it as first argument (only) is verified.

Second rule states that it must never return undefined, to verify this we supplied empty object which returns undefined. Hence we can say that action type has to be there. If object with type empty string is supplied, the output will be undefined as below

Now the third rule, if the state given to it is undefined or simply empty string or null the output will be carried from the previous state as below:

Thank you for your time.
Happy Learning :)