Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Example of Hangfire authorization using token from navlink #270

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

nbiada
Copy link
Contributor

@nbiada nbiada commented Aug 11, 2021

No description provided.

@@ -115,5 +120,8 @@
_canViewChat = (await _authorizationService.AuthorizeAsync(_authenticationStateProviderUser, Permissions.Communication.Chat)).Succeeded;
_canViewProducts = (await _authorizationService.AuthorizeAsync(_authenticationStateProviderUser, Permissions.Products.View)).Succeeded;
_canViewBrands = (await _authorizationService.AuthorizeAsync(_authenticationStateProviderUser, Permissions.Brands.View)).Succeeded;

_accessToken = await _localStorage.GetItemAsync<string>(StorageConstants.Local.AuthToken);
_jobsLink = $"/jobs?token={_accessToken}";
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is it safe to pass a token in a query string?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The token is exposed in the header of any call, so is more or less the same as exposing it in the query string.

@gozilla-paradise
Copy link

Should it validate token before granting access? @nbiada

@fgilde
Copy link

fgilde commented Oct 13, 2021

I have done it like this
This method added to dashboard controller

 [Authorize(Policy = Permissions.Hangfire.View)]
        [HttpGet("jobdashboardurl")]
        [Produces(typeof(string))]
        public IActionResult GetJobDashBoardUrl()
        {
            HttpContext.Session.SetString(ApplicationConstants.Hangfire.SessionUserIdKey, Get<ICurrentUserService>().UserId);
            return Ok(ApplicationConstants.Hangfire.DashboardRoute);
        } 

Content of the authfilter

public class HangfireAuthorizationFilter : IDashboardAuthorizationFilter
    {

        public bool Authorize(DashboardContext context)
        {
            var httpContext = context.GetHttpContext();
            var service = httpContext.RequestServices.GetService<IAccountService>();
            
            var userId = httpContext.Session.GetString(ApplicationConstants.Hangfire.SessionUserIdKey);
            
            return !string.IsNullOrEmpty(userId) && service != null && service.AuthorizeAsync(userId, Permissions.Hangfire.View).Result;
        }
    }

and on client side onclick instead of href


private async void OpenJobDashboard()
    {
        var uri =await _api.Dashboard_GetJobDashBoardUrlAsync();
        _navigationManager.NavigateTo(uri, true);
    }

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants