kocoded/oqtane.framework
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

back out auth policy header support as Blazor HttpClient is registered as Scoped and can not support variable headers

Browse Source
This commit is contained in:
Shaun Walker 2021-06-11 07:54:02 -04:00
parent d82fc8be90
commit aa5aca3a8e
6 changed files with 11 additions and 65 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
Oqtane.Client/Modules/HtmlText/Services/HtmlTextService.cs
View File

@ -13,29 +13,22 @@ namespace Oqtane.Modules.HtmlText.Services
public async Task<Models.HtmlText> GetHtmlTextAsync(int moduleId) public async Task<Models.HtmlText> GetHtmlTextAsync(int moduleId)
{ {
AddAuthorizationPolicyHeader(EntityNames.Module, moduleId); return await GetJsonAsync<Models.HtmlText>(CreateAuthorizationPolicyUrl($"{ApiUrl}/{moduleId}", EntityNames.Module, moduleId));
return await GetJsonAsync<Models.HtmlText>($"{ApiUrl}/{moduleId}");
} }
public async Task AddHtmlTextAsync(Models.HtmlText htmlText) public async Task AddHtmlTextAsync(Models.HtmlText htmlText)
{ {
AddAntiForgeryToken(); await PostJsonAsync(CreateAuthorizationPolicyUrl($"{ApiUrl}", EntityNames.Module, htmlText.ModuleId), htmlText);
AddAuthorizationPolicyHeader(EntityNames.Module, htmlText.ModuleId);
await PostJsonAsync($"{ApiUrl}", htmlText);
} }
public async Task UpdateHtmlTextAsync(Models.HtmlText htmlText) public async Task UpdateHtmlTextAsync(Models.HtmlText htmlText)
{ {
AddAntiForgeryToken(); await PutJsonAsync(CreateAuthorizationPolicyUrl($"{ApiUrl}/{htmlText.HtmlTextId}", EntityNames.Module, htmlText.ModuleId), htmlText);
AddAuthorizationPolicyHeader(EntityNames.Module, htmlText.ModuleId);
await PutJsonAsync($"{ApiUrl}/{htmlText.HtmlTextId}", htmlText);
} }
public async Task DeleteHtmlTextAsync(int moduleId) public async Task DeleteHtmlTextAsync(int moduleId)
{ {
AddAntiForgeryToken(); await DeleteAsync(CreateAuthorizationPolicyUrl($"{ApiUrl}/{moduleId}", EntityNames.Module, moduleId));
AddAuthorizationPolicyHeader(EntityNames.Module, moduleId);
await DeleteAsync($"{ApiUrl}/{moduleId}");
} }
} }
} }

6
Oqtane.Client/Services/InstallationService.cs
View File

@ -13,16 +13,20 @@ namespace Oqtane.Services
public class InstallationService : ServiceBase, IInstallationService public class InstallationService : ServiceBase, IInstallationService
{ {
private readonly NavigationManager _navigationManager; private readonly NavigationManager _navigationManager;
private readonly SiteState _siteState;
public InstallationService(HttpClient http, NavigationManager navigationManager) : base(http) public InstallationService(HttpClient http, NavigationManager navigationManager, SiteState siteState) : base(http)
{ {
_navigationManager = navigationManager; _navigationManager = navigationManager;
_siteState = siteState;
} }
private string ApiUrl => CreateApiUrl("Installation", null, ControllerRoutes.ApiRoute); // tenant agnostic private string ApiUrl => CreateApiUrl("Installation", null, ControllerRoutes.ApiRoute); // tenant agnostic
public async Task<Installation> IsInstalled() public async Task<Installation> IsInstalled()
{ {
// add antiforgerytoken header so that it is included on all HttpClient calls for the lifetime of the app
AddRequestHeader(Constants.AntiForgeryTokenHeaderName, _siteState.AntiForgeryToken);
var path = new Uri(_navigationManager.Uri).LocalPath.Substring(1); var path = new Uri(_navigationManager.Uri).LocalPath.Substring(1);
return await GetJsonAsync<Installation>($"{ApiUrl}/installed/?path={WebUtility.UrlEncode(path)}"); return await GetJsonAsync<Installation>($"{ApiUrl}/installed/?path={WebUtility.UrlEncode(path)}");
} }

32
Oqtane.Client/Services/ServiceBase.cs
View File

@ -20,7 +20,6 @@ namespace Oqtane.Services
protected ServiceBase(HttpClient client, SiteState siteState) protected ServiceBase(HttpClient client, SiteState siteState)
{ {
_http = client; _http = client;
RemoveAuthorizationPolicyHeaders();
_siteState = siteState; _siteState = siteState;
} }
@ -96,6 +95,7 @@ namespace Oqtane.Services
} }
} }
// note that HttpClient is registered as a Scoped(shared) service and therefore you should not use request headers whose value can vary over the lifetime of the service
protected void AddRequestHeader(string name, string value) protected void AddRequestHeader(string name, string value)
{ {
RemoveRequestHeader(name); RemoveRequestHeader(name);
@ -110,35 +110,6 @@ namespace Oqtane.Services
} }
} }
protected void AddAntiForgeryToken()
{
AddRequestHeader(Constants.AntiForgeryTokenHeaderName, _siteState.AntiForgeryToken);
}
public void AddAuthorizationPolicyHeader(string entityName, int entityId)
{
AddAuthorizationPolicyHeader(new Dictionary<string, int>() { { entityName, entityId } });
}
public void AddAuthorizationPolicyHeader(Dictionary<string, int> authEntityId)
{
foreach (KeyValuePair<string, int> kvp in authEntityId)
{
AddRequestHeader("auth" + kvp.Key.ToLower() + "id", kvp.Value.ToString());
}
}
public void RemoveAuthorizationPolicyHeaders()
{
foreach (var param in _http.DefaultRequestHeaders)
{
if (param.Key.StartsWith("auth") && param.Key.EndsWith("id"))
{
_http.DefaultRequestHeaders.Remove(param.Key);
}
}
}
protected async Task GetAsync(string uri) protected async Task GetAsync(string uri)
{ {
var response = await _http.GetAsync(uri); var response = await _http.GetAsync(uri);
@ -258,7 +229,6 @@ namespace Oqtane.Services
protected ServiceBase(HttpClient client) protected ServiceBase(HttpClient client)
{ {
_http = client; _http = client;
RemoveAuthorizationPolicyHeaders();
} }
[Obsolete("This method is obsolete. Use CreateApiUrl(string serviceName, Alias alias) in conjunction with ControllerRoutes.ApiRoute in Controllers instead.", false)] [Obsolete("This method is obsolete. Use CreateApiUrl(string serviceName, Alias alias) in conjunction with ControllerRoutes.ApiRoute in Controllers instead.", false)]

11
Oqtane.Server/Controllers/ModuleControllerBase.cs
View File

@ -27,17 +27,6 @@ namespace Oqtane.Controllers
_authEntityId.Add(param.Key.Substring(4, param.Key.Length - 6), value); _authEntityId.Add(param.Key.Substring(4, param.Key.Length - 6), value);
} }
} }
// if policy authorization dictionary is empty populate from headers
if (_authEntityId.Count == 0)
{
foreach (var param in accessor.HttpContext.Request.Headers)
{
if (param.Key.StartsWith("auth") && param.Key.EndsWith("id") && int.TryParse(param.Value, out value))
{
_authEntityId.Add(param.Key.Substring(4, param.Key.Length - 6), value);
}
}
}
// legacy support // legacy support
if (_authEntityId.Count == 0 && accessor.HttpContext.Request.Query.ContainsKey("entityid")) if (_authEntityId.Count == 0 && accessor.HttpContext.Request.Query.ContainsKey("entityid"))

2
Oqtane.Server/Migrations/Tenant/02010100_AddPageIsClickable.cs
View File

@ -19,7 +19,7 @@ namespace Oqtane.Migrations.Tenant
var pageEntityBuilder = new PageEntityBuilder(migrationBuilder, ActiveDatabase); var pageEntityBuilder = new PageEntityBuilder(migrationBuilder, ActiveDatabase);
pageEntityBuilder.AddBooleanColumn("IsClickable"); pageEntityBuilder.AddBooleanColumn("IsClickable");
pageEntityBuilder.UpdateColumn("IsClickable", "true"); pageEntityBuilder.UpdateColumn("IsClickable", "1");
} }
protected override void Down(MigrationBuilder migrationBuilder) protected override void Down(MigrationBuilder migrationBuilder)

10
Oqtane.Server/Security/PermissionHandler.cs
View File

@ -35,16 +35,6 @@ namespace Oqtane.Security
entityId = -1; entityId = -1;
} }
} }
if (entityId == -1)
{
if (ctx.Request.Headers.ContainsKey("auth" + requirement.EntityName.ToLower() + "id"))
{
if (!int.TryParse(ctx.Request.Headers["auth" + requirement.EntityName.ToLower() + "id"], out entityId))
{
entityId = -1;
}
}
}
// legacy support // legacy support
if (entityId == -1) if (entityId == -1)