back out auth policy header support as Blazor HttpClient is registered as Scoped and can not support variable headers

2021-06-11 07:54:02 -04:00 · 2021-06-11 07:54:02 -04:00 · aa5aca3a8e
commit aa5aca3a8e
parent d82fc8be90
6 changed files with 11 additions and 65 deletions
--- a/Oqtane.Client/Modules/HtmlText/Services/HtmlTextService.cs
+++ b/Oqtane.Client/Modules/HtmlText/Services/HtmlTextService.cs
@ -13,29 +13,22 @@ namespace Oqtane.Modules.HtmlText.Services

        public async Task<Models.HtmlText> GetHtmlTextAsync(int moduleId)
        {
-            AddAuthorizationPolicyHeader(EntityNames.Module, moduleId);
-            return await GetJsonAsync<Models.HtmlText>($"{ApiUrl}/{moduleId}");
+            return await GetJsonAsync<Models.HtmlText>(CreateAuthorizationPolicyUrl($"{ApiUrl}/{moduleId}", EntityNames.Module, moduleId));
        }

        public async Task AddHtmlTextAsync(Models.HtmlText htmlText)
        {
-            AddAntiForgeryToken();
-            AddAuthorizationPolicyHeader(EntityNames.Module, htmlText.ModuleId);
-            await PostJsonAsync($"{ApiUrl}", htmlText);
+            await PostJsonAsync(CreateAuthorizationPolicyUrl($"{ApiUrl}", EntityNames.Module, htmlText.ModuleId), htmlText);
        }

        public async Task UpdateHtmlTextAsync(Models.HtmlText htmlText)
        {
-            AddAntiForgeryToken();
-            AddAuthorizationPolicyHeader(EntityNames.Module, htmlText.ModuleId);
-            await PutJsonAsync($"{ApiUrl}/{htmlText.HtmlTextId}", htmlText);
+            await PutJsonAsync(CreateAuthorizationPolicyUrl($"{ApiUrl}/{htmlText.HtmlTextId}", EntityNames.Module, htmlText.ModuleId), htmlText);
        }

        public async Task DeleteHtmlTextAsync(int moduleId)
        {
-            AddAntiForgeryToken();
-            AddAuthorizationPolicyHeader(EntityNames.Module, moduleId);
-            await DeleteAsync($"{ApiUrl}/{moduleId}");
+            await DeleteAsync(CreateAuthorizationPolicyUrl($"{ApiUrl}/{moduleId}", EntityNames.Module, moduleId));
        }
    }
 }
--- a/Oqtane.Client/Services/InstallationService.cs
+++ b/Oqtane.Client/Services/InstallationService.cs
@ -13,16 +13,20 @@ namespace Oqtane.Services
    public class InstallationService : ServiceBase, IInstallationService
    {
        private readonly NavigationManager _navigationManager;
+        private readonly SiteState _siteState;

-        public InstallationService(HttpClient http, NavigationManager navigationManager) : base(http)
+        public InstallationService(HttpClient http, NavigationManager navigationManager, SiteState siteState) : base(http)
        {
            _navigationManager = navigationManager;
+            _siteState = siteState;
        }

        private string ApiUrl => CreateApiUrl("Installation", null, ControllerRoutes.ApiRoute); // tenant agnostic

        public async Task<Installation> IsInstalled()
        {
+            // add antiforgerytoken header so that it is included on all HttpClient calls for the lifetime of the app
+            AddRequestHeader(Constants.AntiForgeryTokenHeaderName, _siteState.AntiForgeryToken);
            var path = new Uri(_navigationManager.Uri).LocalPath.Substring(1);            
            return await GetJsonAsync<Installation>($"{ApiUrl}/installed/?path={WebUtility.UrlEncode(path)}");
        }
--- a/Oqtane.Client/Services/ServiceBase.cs
+++ b/Oqtane.Client/Services/ServiceBase.cs
@ -20,7 +20,6 @@ namespace Oqtane.Services
        protected ServiceBase(HttpClient client, SiteState siteState)
        {
            _http = client;
-            RemoveAuthorizationPolicyHeaders();
            _siteState = siteState;
        }

@ -96,6 +95,7 @@ namespace Oqtane.Services
            }
        }

+        // note that HttpClient is registered as a Scoped(shared) service and therefore you should not use request headers whose value can vary over the lifetime of the service
        protected void AddRequestHeader(string name, string value)
        {
            RemoveRequestHeader(name);
@ -110,35 +110,6 @@ namespace Oqtane.Services
            }
        }

-        protected void AddAntiForgeryToken()
-        {
-            AddRequestHeader(Constants.AntiForgeryTokenHeaderName, _siteState.AntiForgeryToken);
-        }
-
-        public void AddAuthorizationPolicyHeader(string entityName, int entityId)
-        {
-            AddAuthorizationPolicyHeader(new Dictionary<string, int>() { { entityName, entityId } });
-        }
-
-        public void AddAuthorizationPolicyHeader(Dictionary<string, int> authEntityId)
-        {
-            foreach (KeyValuePair<string, int> kvp in authEntityId)
-            {
-                AddRequestHeader("auth" + kvp.Key.ToLower() + "id", kvp.Value.ToString());
-            }
-        }
-
-        public void RemoveAuthorizationPolicyHeaders()
-        {
-            foreach (var param in _http.DefaultRequestHeaders)
-            {
-                if (param.Key.StartsWith("auth") && param.Key.EndsWith("id"))
-                {
-                    _http.DefaultRequestHeaders.Remove(param.Key);
-                }
-            }
-        }
-
        protected async Task GetAsync(string uri)
        {
            var response = await _http.GetAsync(uri);
@ -258,7 +229,6 @@ namespace Oqtane.Services
        protected ServiceBase(HttpClient client)
        {
            _http = client;
-            RemoveAuthorizationPolicyHeaders();
        }

        [Obsolete("This method is obsolete. Use CreateApiUrl(string serviceName, Alias alias) in conjunction with ControllerRoutes.ApiRoute in Controllers instead.", false)]
--- a/Oqtane.Server/Controllers/ModuleControllerBase.cs
+++ b/Oqtane.Server/Controllers/ModuleControllerBase.cs
@ -27,17 +27,6 @@ namespace Oqtane.Controllers
                    _authEntityId.Add(param.Key.Substring(4, param.Key.Length - 6), value);
                }
            }
-            // if policy authorization dictionary is empty populate from headers
-            if (_authEntityId.Count == 0)
-            {
-                foreach (var param in accessor.HttpContext.Request.Headers)
-                {
-                    if (param.Key.StartsWith("auth") && param.Key.EndsWith("id") && int.TryParse(param.Value, out value))
-                    {
-                        _authEntityId.Add(param.Key.Substring(4, param.Key.Length - 6), value);
-                    }
-                }
-            }

            // legacy support
            if (_authEntityId.Count == 0 && accessor.HttpContext.Request.Query.ContainsKey("entityid"))
--- a/Oqtane.Server/Migrations/Tenant/02010100_AddPageIsClickable.cs
+++ b/Oqtane.Server/Migrations/Tenant/02010100_AddPageIsClickable.cs
@ -19,7 +19,7 @@ namespace Oqtane.Migrations.Tenant
            var pageEntityBuilder = new PageEntityBuilder(migrationBuilder, ActiveDatabase);

            pageEntityBuilder.AddBooleanColumn("IsClickable");
-            pageEntityBuilder.UpdateColumn("IsClickable", "true");
+            pageEntityBuilder.UpdateColumn("IsClickable", "1");
        }

        protected override void Down(MigrationBuilder migrationBuilder)
--- a/Oqtane.Server/Security/PermissionHandler.cs
+++ b/Oqtane.Server/Security/PermissionHandler.cs
@ -35,16 +35,6 @@ namespace Oqtane.Security
                        entityId = -1;
                    }
                }
-                if (entityId == -1)
-                {
-                    if (ctx.Request.Headers.ContainsKey("auth" + requirement.EntityName.ToLower() + "id"))
-                    {
-                        if (!int.TryParse(ctx.Request.Headers["auth" + requirement.EntityName.ToLower() + "id"], out entityId))
-                        {
-                            entityId = -1;
-                        }
-                    }
-                }

                // legacy support
                if (entityId == -1)