AUTHORIZATION
SECURITY IN THE AUTHENTICATION AND AUTHORIZATION PHASES
Two-factor authentication requires user credentials and also to exhibit something you have such as a smartphone with its authentication code. The user’s identity is also protected after login, because we have seen that an authentication cookie is issued, which has a protected, encrypted content that is impossible to tamper with.
After the authentication phase, another always follows, authorization which is to determine whether or not a user can perform a certain operation. A user is authorized when first they have authenticated themselves, then you need to see if they have associated Claims, such as belonging to a role. In our application, Claims are stored on a decidedly valid medium such as the authentication cookie.
REGULATE USER ACCESS
The center of everything is the attribute Authorize, which determines which entities are to be protected.
The attribute itself verifies whether the user has logged in, but it does not ascertain whether they have Claims in the authentication cookie. Authorize we can use it regardless of the type of authentication used because it is part of ASP.NET Core and not Identity. After putting the attribute in the Actions of the CoursesController, the anonymous user is bounced to the Login page. Being an authenticated user is not enough to create a course, but must possess claims such as, for example, the role of lecturer. The Authorize attribute is just a marker; the Authorization Middleware does the work, deciding whether the user can perform a certain operation.
In the face of all this apparent simplicity lie risks, if for example in two years’ time we create a new method in the Controller that exposes confidential data and forget to place the Authorize attribute we are in fact disclosing sensitive data. To remedy this problem just put the Authorize attribute on the Controller, this way all Actions are protected and use the attribute AllowAnonymous for anonymous users who need access to certain Actions. Thanks to it an Action becomes publicly accessible.
If we want all Controllers to be subject to authorization we use code in the startup.cs class.
I specify that a filter is a piece of code executed before each Action.
REGULATE ACCESS TO RAZOR PAGES
The question is this, when do we only need the user to be authenticated to enjoy a feature? The answer is: when, for example, we want to show him features that affect him, such as a list of courses he has purchased, or a new feature that allows the authenticated user to ask the teacher a question.
If it was also aimed at unauthenticated users the Form, it might attract spammers who would send unkind content to teachers, the teacher will be able to see the name and e-mail since it is an authenticated user and we know this information. We create the Contact Form with the Razor Pages and a Directory Page with the Razor page Contact in it. Now in the OnGetAsync and OnPostAsync methods we cannot put the Authorize attribute since the Razor Pages have this limitation.
The other alternative is the filters also seen with MVC.
Since the routing endpoints are the same for both MVC and Razor page it does not accorre duplicate code already seen for MVC. The Privacy page should be searchable by everyone, so here is an easy way to do it.
LINK TO CODE ON GITHUB
Download the section18 code or the master branch or clone the GITHUB repository to have all the sections available in your favorite editor.
Leave A Comment