In the first place, HttpContext.User.Identity does not depend on any kind of authorization scheme.
The role of authenticating user and building HttpContext.User.Identity is Authentication middleware.
What I did is just referenced the HttpContext.User.Identity that is a result of Authentication middleware's work.
It's also important to note that it's a bad practice to store sensitive data under wwwroot.
Yes, we have to consider well about this point.
However, I can't agree with all of your opinions, at this time.
Essentially and ultimately, there is no difference between StaticFiles middleware and custom controller method (that you said) on the side that both of them respond to static files to a user agent.
A few years ago, I have saw the custom controller that respond static files to user agents had a "directory traversal" security hole.
And also, I have heard another story that the custom controller stored uploaded file to AmazonS3 but the endpoint of AmazonS3 bucket was allowed public access due to configuration mistake.
These stories tell me that protecting static content is not simple.
Therefore, I could not agree with the simple judgment that storing some secret static files under the wwwroot folder is bad practice.
After days I may change my opinion to the same as your opinion, but it is not now, yet.
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
Doubt.
Did you try it?
I tried access token-based authentication scenario, and it works fine as expected.
You can get the project file that I tried from the link below.
In the first place,
HttpContext.User.Identity
does not depend on any kind of authorization scheme.The role of authenticating user and building
HttpContext.User.Identity
isAuthentication
middleware.What I did is just referenced the
HttpContext.User.Identity
that is a result ofAuthentication
middleware's work.Yes, we have to consider well about this point.
However, I can't agree with all of your opinions, at this time.
Essentially and ultimately, there is no difference between
StaticFiles
middleware and custom controller method (that you said) on the side that both of them respond to static files to a user agent.A few years ago, I have saw the custom controller that respond static files to user agents had a "directory traversal" security hole.
And also, I have heard another story that the custom controller stored uploaded file to AmazonS3 but the endpoint of AmazonS3 bucket was allowed public access due to configuration mistake.
These stories tell me that protecting static content is not simple.
Therefore, I could not agree with the simple judgment that storing some secret static files under the wwwroot folder is bad practice.
After days I may change my opinion to the same as your opinion, but it is not now, yet.