DEV Community

Discussion on: How can I protect static files with authorization on ASP.NET Core?

j_sakamoto profile image
jsakamoto Author

This only works with cookie authentication.
If you have another scheme, say JWT, authorization using the OnPrepareResponse hook won't work.

Did you try it?

I tried access token-based authentication scenario, and it works fine as expected.
You can get the project file that I tried from the link below.

In the first place, HttpContext.User.Identity does not depend on any kind of authorization scheme.

The role of authenticating user and building HttpContext.User.Identity is Authentication middleware.

What I did is just referenced the HttpContext.User.Identity that is a result of Authentication middleware's work.

It's also important to note that it's a bad practice to store sensitive data under wwwroot.

Yes, we have to consider well about this point.
However, I can't agree with all of your opinions, at this time.

Essentially and ultimately, there is no difference between StaticFiles middleware and custom controller method (that you said) on the side that both of them respond to static files to a user agent.

A few years ago, I have saw the custom controller that respond static files to user agents had a "directory traversal" security hole.

And also, I have heard another story that the custom controller stored uploaded file to AmazonS3 but the endpoint of AmazonS3 bucket was allowed public access due to configuration mistake.

These stories tell me that protecting static content is not simple.
Therefore, I could not agree with the simple judgment that storing some secret static files under the wwwroot folder is bad practice.

After days I may change my opinion to the same as your opinion, but it is not now, yet.