From aa5aca3a8e51c3a1d56ff6badbf7f22e17c75fbf Mon Sep 17 00:00:00 2001 From: Shaun Walker Date: Fri, 11 Jun 2021 07:54:02 -0400 Subject: [PATCH] back out auth policy header support as Blazor HttpClient is registered as Scoped and can not support variable headers --- .../HtmlText/Services/HtmlTextService.cs | 15 +++------ Oqtane.Client/Services/InstallationService.cs | 6 +++- Oqtane.Client/Services/ServiceBase.cs | 32 +------------------ .../Controllers/ModuleControllerBase.cs | 11 ------- .../Tenant/02010100_AddPageIsClickable.cs | 2 +- Oqtane.Server/Security/PermissionHandler.cs | 10 ------ 6 files changed, 11 insertions(+), 65 deletions(-) diff --git a/Oqtane.Client/Modules/HtmlText/Services/HtmlTextService.cs b/Oqtane.Client/Modules/HtmlText/Services/HtmlTextService.cs index 344eb8f6..73776394 100644 --- a/Oqtane.Client/Modules/HtmlText/Services/HtmlTextService.cs +++ b/Oqtane.Client/Modules/HtmlText/Services/HtmlTextService.cs @@ -13,29 +13,22 @@ namespace Oqtane.Modules.HtmlText.Services public async Task GetHtmlTextAsync(int moduleId) { - AddAuthorizationPolicyHeader(EntityNames.Module, moduleId); - return await GetJsonAsync($"{ApiUrl}/{moduleId}"); + return await GetJsonAsync(CreateAuthorizationPolicyUrl($"{ApiUrl}/{moduleId}", EntityNames.Module, moduleId)); } public async Task AddHtmlTextAsync(Models.HtmlText htmlText) { - AddAntiForgeryToken(); - AddAuthorizationPolicyHeader(EntityNames.Module, htmlText.ModuleId); - await PostJsonAsync($"{ApiUrl}", htmlText); + await PostJsonAsync(CreateAuthorizationPolicyUrl($"{ApiUrl}", EntityNames.Module, htmlText.ModuleId), htmlText); } public async Task UpdateHtmlTextAsync(Models.HtmlText htmlText) { - AddAntiForgeryToken(); - AddAuthorizationPolicyHeader(EntityNames.Module, htmlText.ModuleId); - await PutJsonAsync($"{ApiUrl}/{htmlText.HtmlTextId}", htmlText); + await PutJsonAsync(CreateAuthorizationPolicyUrl($"{ApiUrl}/{htmlText.HtmlTextId}", EntityNames.Module, htmlText.ModuleId), htmlText); } public async Task DeleteHtmlTextAsync(int moduleId) { - AddAntiForgeryToken(); - AddAuthorizationPolicyHeader(EntityNames.Module, moduleId); - await DeleteAsync($"{ApiUrl}/{moduleId}"); + await DeleteAsync(CreateAuthorizationPolicyUrl($"{ApiUrl}/{moduleId}", EntityNames.Module, moduleId)); } } } diff --git a/Oqtane.Client/Services/InstallationService.cs b/Oqtane.Client/Services/InstallationService.cs index a37db439..70bfc7f6 100644 --- a/Oqtane.Client/Services/InstallationService.cs +++ b/Oqtane.Client/Services/InstallationService.cs @@ -13,16 +13,20 @@ namespace Oqtane.Services public class InstallationService : ServiceBase, IInstallationService { private readonly NavigationManager _navigationManager; + private readonly SiteState _siteState; - public InstallationService(HttpClient http, NavigationManager navigationManager) : base(http) + public InstallationService(HttpClient http, NavigationManager navigationManager, SiteState siteState) : base(http) { _navigationManager = navigationManager; + _siteState = siteState; } private string ApiUrl => CreateApiUrl("Installation", null, ControllerRoutes.ApiRoute); // tenant agnostic public async Task IsInstalled() { + // add antiforgerytoken header so that it is included on all HttpClient calls for the lifetime of the app + AddRequestHeader(Constants.AntiForgeryTokenHeaderName, _siteState.AntiForgeryToken); var path = new Uri(_navigationManager.Uri).LocalPath.Substring(1); return await GetJsonAsync($"{ApiUrl}/installed/?path={WebUtility.UrlEncode(path)}"); } diff --git a/Oqtane.Client/Services/ServiceBase.cs b/Oqtane.Client/Services/ServiceBase.cs index 66762fde..ecd6c37b 100644 --- a/Oqtane.Client/Services/ServiceBase.cs +++ b/Oqtane.Client/Services/ServiceBase.cs @@ -20,7 +20,6 @@ namespace Oqtane.Services protected ServiceBase(HttpClient client, SiteState siteState) { _http = client; - RemoveAuthorizationPolicyHeaders(); _siteState = siteState; } @@ -96,6 +95,7 @@ namespace Oqtane.Services } } + // note that HttpClient is registered as a Scoped(shared) service and therefore you should not use request headers whose value can vary over the lifetime of the service protected void AddRequestHeader(string name, string value) { RemoveRequestHeader(name); @@ -110,35 +110,6 @@ namespace Oqtane.Services } } - protected void AddAntiForgeryToken() - { - AddRequestHeader(Constants.AntiForgeryTokenHeaderName, _siteState.AntiForgeryToken); - } - - public void AddAuthorizationPolicyHeader(string entityName, int entityId) - { - AddAuthorizationPolicyHeader(new Dictionary() { { entityName, entityId } }); - } - - public void AddAuthorizationPolicyHeader(Dictionary authEntityId) - { - foreach (KeyValuePair kvp in authEntityId) - { - AddRequestHeader("auth" + kvp.Key.ToLower() + "id", kvp.Value.ToString()); - } - } - - public void RemoveAuthorizationPolicyHeaders() - { - foreach (var param in _http.DefaultRequestHeaders) - { - if (param.Key.StartsWith("auth") && param.Key.EndsWith("id")) - { - _http.DefaultRequestHeaders.Remove(param.Key); - } - } - } - protected async Task GetAsync(string uri) { var response = await _http.GetAsync(uri); @@ -258,7 +229,6 @@ namespace Oqtane.Services protected ServiceBase(HttpClient client) { _http = client; - RemoveAuthorizationPolicyHeaders(); } [Obsolete("This method is obsolete. Use CreateApiUrl(string serviceName, Alias alias) in conjunction with ControllerRoutes.ApiRoute in Controllers instead.", false)] diff --git a/Oqtane.Server/Controllers/ModuleControllerBase.cs b/Oqtane.Server/Controllers/ModuleControllerBase.cs index 18687ee8..6f89bac2 100644 --- a/Oqtane.Server/Controllers/ModuleControllerBase.cs +++ b/Oqtane.Server/Controllers/ModuleControllerBase.cs @@ -27,17 +27,6 @@ namespace Oqtane.Controllers _authEntityId.Add(param.Key.Substring(4, param.Key.Length - 6), value); } } - // if policy authorization dictionary is empty populate from headers - if (_authEntityId.Count == 0) - { - foreach (var param in accessor.HttpContext.Request.Headers) - { - if (param.Key.StartsWith("auth") && param.Key.EndsWith("id") && int.TryParse(param.Value, out value)) - { - _authEntityId.Add(param.Key.Substring(4, param.Key.Length - 6), value); - } - } - } // legacy support if (_authEntityId.Count == 0 && accessor.HttpContext.Request.Query.ContainsKey("entityid")) diff --git a/Oqtane.Server/Migrations/Tenant/02010100_AddPageIsClickable.cs b/Oqtane.Server/Migrations/Tenant/02010100_AddPageIsClickable.cs index f1d85e45..c15db40c 100644 --- a/Oqtane.Server/Migrations/Tenant/02010100_AddPageIsClickable.cs +++ b/Oqtane.Server/Migrations/Tenant/02010100_AddPageIsClickable.cs @@ -19,7 +19,7 @@ namespace Oqtane.Migrations.Tenant var pageEntityBuilder = new PageEntityBuilder(migrationBuilder, ActiveDatabase); pageEntityBuilder.AddBooleanColumn("IsClickable"); - pageEntityBuilder.UpdateColumn("IsClickable", "true"); + pageEntityBuilder.UpdateColumn("IsClickable", "1"); } protected override void Down(MigrationBuilder migrationBuilder) diff --git a/Oqtane.Server/Security/PermissionHandler.cs b/Oqtane.Server/Security/PermissionHandler.cs index e26ddcd4..0b507e74 100644 --- a/Oqtane.Server/Security/PermissionHandler.cs +++ b/Oqtane.Server/Security/PermissionHandler.cs @@ -35,16 +35,6 @@ namespace Oqtane.Security entityId = -1; } } - if (entityId == -1) - { - if (ctx.Request.Headers.ContainsKey("auth" + requirement.EntityName.ToLower() + "id")) - { - if (!int.TryParse(ctx.Request.Headers["auth" + requirement.EntityName.ToLower() + "id"], out entityId)) - { - entityId = -1; - } - } - } // legacy support if (entityId == -1)