Skip to content

Example of Hangfire authorization using token from navlink #270

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Example of Hangfire authorization using token from navlink #270

wants to merge 1 commit into from
+57 −3

Conversation

nbiada
Copy link
Contributor

@nbiada nbiada commented Aug 11, 2021

No description provided.

@nbiada nbiada mentioned this pull request Aug 11, 2021
Closed
unchase
unchase reviewed Aug 11, 2021
View reviewed changes
src/Client/Shared/NavMenu.razor
_canViewBrands = (await _authorizationService.AuthorizeAsync(_authenticationStateProviderUser, Permissions.Brands.View)).Succeeded;

_accessToken = await _localStorage.GetItemAsync<string>(StorageConstants.Local.AuthToken);
_jobsLink = $"/jobs?token={_accessToken}";
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is it safe to pass a token in a query string?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The token is exposed in the header of any call, so is more or less the same as exposing it in the query string.

@gozilla-paradise
Copy link

Should it validate token before granting access? @nbiada

@fgilde
Copy link

fgilde commented Oct 13, 2021
edited
Loading

I have done it like this
This method added to dashboard controller

 [Authorize(Policy = Permissions.Hangfire.View)]
        [HttpGet("jobdashboardurl")]
        [Produces(typeof(string))]
        public IActionResult GetJobDashBoardUrl()
        {
            HttpContext.Session.SetString(ApplicationConstants.Hangfire.SessionUserIdKey, Get<ICurrentUserService>().UserId);
            return Ok(ApplicationConstants.Hangfire.DashboardRoute);
        }

Content of the authfilter

public class HangfireAuthorizationFilter : IDashboardAuthorizationFilter
    {

        public bool Authorize(DashboardContext context)
        {
            var httpContext = context.GetHttpContext();
            var service = httpContext.RequestServices.GetService<IAccountService>();
            
            var userId = httpContext.Session.GetString(ApplicationConstants.Hangfire.SessionUserIdKey);
            
            return !string.IsNullOrEmpty(userId) && service != null && service.AuthorizeAsync(userId, Permissions.Hangfire.View).Result;
        }
    }

and on client side onclick instead of href


private async void OpenJobDashboard()
    {
        var uri =await _api.Dashboard_GetJobDashBoardUrlAsync();
        _navigationManager.NavigateTo(uri, true);
    }

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
1 more reviewer

@unchase unchase unchase left review comments

Reviewers whose approvals may not affect merge requirements
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@nbiada @gozilla-paradise @fgilde @unchase