Sunday, October 18, 2020

[.NET core] AddPolicy to Authorize on MVC controller

Sometimes when you are using C# identity, the [Authorize] attribute is not enough,for example, you want additional check not only claims or role, then you can try add policy to make it. 

In this example, we assume a part of method need check token in user claims before access, here is how to implement it. 

1.add a AuthorizationHandler for your policy 
 Handler/AuthorizeTokenHandler.cs
namespace Example.Handler
{
    // Custom AuthorizationHandler for check token in claim
    public class AuthorizeTokenHandler : AuthorizationHandler<TokenRequirement>
    {
        private readonly AuthService _auth;

        public AuthorizeTokenHandler(AuthService auth)
        {
            _auth = auth;
        }
        protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, TokenRequirement requirement)
        {
            //no token claim
            if (!context.User.HasClaim(x => x.Type == "Token"))
            {
                context.Fail();
                return Task.CompletedTask;
            }

            var username = context.User.FindFirst(ClaimTypes.Name).Value;
            var token = context.User.FindFirst("Token").Value;

            #region check token
            if (_auth.CheckToken(username,token))
            {
                context.Succeed(requirement);
            }
            else
            {
                context.Fail();
            }
            #endregion

            return Task.CompletedTask;
        }
    }

    public class TokenRequirement : IAuthorizationRequirement
    {
    }

2. add to startup, in ConfigureServices

            //handler
            services.AddSingleton<IAuthorizationHandler, AuthorizeTokenHandler>();
            
            //add policy
            services.AddAuthorization(options =>
            {
                options.AddPolicy("TokenRequire", policy =>
                    policy.Requirements.Add(new TokenRequirement()));
            });

3. apply policy to Authorize when you need

[Authorize(Policy = "TokenRequire")]
[HttpPost]
public ApiResult SomeMethod()
{
}

That's all, enjoy it.

Sunday, October 11, 2020

[C#] Best Practices of Get Claim from Identity

If you are using ASP.NET Identity, whatever using ASP.NET Core Identy or ASP.NET Identity, usually you will add some claims into the identity and use it later, but I saw lot people using unsafe way to get claim value from identity, it may cause uncatch error if the claim type not exists, let's see the code.
//set some claims first
var claims = new List<Claim>
{
     new Claim(ClaimTypes.Name,"test name"),
     new Claim("Token","token123"),
     new Claim("Number","3")
     //new Claim("dummy","dummy string")
};
var ci = new ClaimsIdentity(claims);

//most seen way, throw error if not exists
var name = ci.Claims.First(x => x.Type == ClaimTypes.Name).Value;
var token = ci.Claims.First(x => x.Type == "Token").Value;  
//using FirstOrDefault() only, throw error if not exists
//var dunno = ci.Claims.FirstOrDefault(x => x.Type == "dunno").Value;

Using this way is easy, but if the claim not exists, if will cause error, whatever you are using First() or FirstOrDefault(). If want to using FirstOrDefault() to get claim value, you can using this fixed way.

            //fixed FirstOrDefault way: return null if not exists
            var dunno = ci.Claims.Where(x => x.Type == "dunno").Select(x => x.Value).FirstOrDefault();
            

but you can use HasClaim method to check claim exist first, and give a proper value if it not exists.

            //safe way: using HasClaim to check
            var dummy = ci.HasClaim(x => x.Type == "dummy")
                ? ci.Claims.First(x => x.Type == "dummy").Value
                : null;
            

or you can choose this short way by using FindFirst method.

            //short way: using FindFirst
            var dummyShort = ci.FindFirst("dummy")?.Value;
            //short way for int
            int.TryParse(ci.FindFirst("Number")?.Value, out var number);
            

I think use ClaimsIdentity.FindFirst Method is the best practices for get claim value.
You can test those here in here

Tuesday, June 2, 2020

幾個關於熊的謠言

最近在網路上發現有人對於熊有些錯誤觀點,這很可能造成真正遇到熊時的人員傷亡,所以找了一下資料,想來澄清一下這些謠言/迷思。

以下資料來源翻譯自Yellowstone Bear World

謠言#1:熊的視力很差

Myth #1: Bears have bad eyesight

這確實是一個常見的錯誤認知。是的,熊確實有驚人的嗅覺,但牠的嗅覺並不是彌補視力的不足,實際上牠們具有很好的視力。

Bears actually have excellent eyesight.
熊在白天的視力與人類相同,但是到了夜晚,牠們出色的視覺才顯出了作用。

就像您家的狗或貓一樣,熊擁有出色的夜視能力。 牠們的眼睛後部有一個稱為脈絡膜層(Tapetum lucidum)的反射膜,該膜可反射光,並使光敏細胞對光進行第二次反應,從而極大地增強了他們在夜間的視力。

這就是為什麼如果您在晚上看到牠們的照片,牠們的眼睛看起來會發綠。

因此,別被騙了...那些熊可能會在您見到牠們之前先見到您! (有關資訊請參見Sylvia Dolson的《熊學 Bear-ology》)

Thursday, December 12, 2019

少女韓國瑜:環保少女 Greta Thunberg


今年Times的年度人物,是來自瑞典的環保少女Greta Thunberg,就先不說她不在投票前三名,得票不到4%是怎麼被操作選上的這種拉基事了,很多人都從媒體片面了解這個人,覺得她很環保很有知識很有行動力啥的,但其實大部分人都被騙了,她就是個少女韓國瑜而已。

Thursday, January 10, 2019

[C#] YOLO3 with OpenCvSharp4



One year ago, I writed [C#] OpenCvSharp DNN with YOLO2, since YOLO3 come out for a while and OpenCV released version 4 on Dec 2018, I think it's time to make a upgrade.

Wednesday, November 21, 2018

[C#] Swashbuckle WebAPI HTTPS BaseUrl and Bearer token

因為Swashbuckle作者跑去專心做Swashbuckle.AspNetCore了,所以在使用上遇到一些問題時要自己想辦法解,這邊紀錄一下遇到的兩個問題。


HTTPS BaseUrl Issue

因為我有用 cloudflare 的 Flexible SSL,在production環境上外面看起來是HTTPS,但Server上走的仍然是HTTP,這時候swagger的 BaseUrl 會因為 Uri Scheme 出問題,所以要來想辦法解,整理需求後,我只需要本機測試(localhost)走HTTP,其他就走HTTPS,按照這個需求來做的解法如下。

//SwaggerConfig.cs
config.EnableSwagger(c =>
{
    c.RootUrl(ResolveBasePath);
    c.Schemes(new[] { "http", "https" });
}

internal static string ResolveBasePath(HttpRequestMessage message)
{
    //fix for Cloudflare Flexible SSL and localhost test
    var scheme = message.RequestUri.Host.IndexOf("localhost") > -1 ? "http://" : "https://";
    return scheme + message.RequestUri.Authority;
}

這樣就可以兼顧正式機與本機開發都正常使用,如果透過proxy那要再另外解,我這邊就先略過。

Wednesday, October 24, 2018

[ASP.NET MVC] Remove response header | 移除回應標頭


有時候做網站會想把一些header移除,但是久久做一次都要查一下,所以決定寫這篇之後就不用查了。



目前使用的版本是MVC 5.2.4,跑在IIS 10上,上面可以看到沒設定前,response有三個header是一般來說大家會去移除的,分別是server, x-aspnet-version, x-powered-by,下面分別說一下移除方法,我是找不用動到IIS設定,改動最小的做法,但是需要改到web.config,如果權限不能碰到web.config的話要另外想辦法。

Server

移除Server header需要在 Global.asax.cs 裡面加上這段
        protected void Application_PreSendRequestHeaders(object sender, EventArgs e)
        {
            var app = sender as HttpApplication;
            // remove Server header
            app?.Context.Response.Headers.Remove("Server");
        }
不過這樣子只能移除由程式產生檔案的header,對於靜態檔像是.js .css之類的還是會有header,所以還有另外一個地方要修改;在web.config內的system.webServer元素內,將 modules 加入runAllManagedModulesForAllRequests="true"這個設定,像是下面這樣,就可以把靜態檔的header也移掉。


X-AspNet-Version

要移除這個header要修改web.config,在httpRuntime element內加入enableVersionHeader="false",像我的情況就是下面這樣。



X-Powered-By

這header也要在web.config內修改,在system.webServer元素內加入customHeaders,像是下面這樣





最後再看看結果,上面三個header都移除了,可賀可喜,收工。

Tuesday, October 23, 2018

[C#] XML to Object / Generic | XML泛型轉換

Recently, I have to some things related to XML in the work, so I prepared some tools and wrote the method of converting XML to Object, but it is not very beautiful on using.
最近工作上需要做一些跟XML有關的東西,所以先準備些工具,一開始也沒多想就寫了將XML轉成Object的方法,但是使用上有點不漂亮。
static object XmlToObj(XDocument xml, Type objType)
{
    object obj;
    try
    {
        XmlSerializer serializer = new XmlSerializer(objType);
        using (TextReader reader = new StringReader(xml.ToString()))
        {
            obj = serializer.Deserialize(reader);
        }
    }
    catch (Exception e)
    {
        Console.WriteLine(e.Message);
        return null;
    }
    return obj;
}

Using above XmlToObj, it need to cast it first, the code isn't feel so beauty, so I decide rewrite it to generic method.
使用上面的XmlToObj,會需要做轉型才能使用,code感覺不是很美,所以我決定改寫成泛型的方式。
var result = (PurchaseOrder)XmlToObj(doc, typeof(PurchaseOrder));

Wednesday, June 6, 2018

[C#] Implement Pivot with LINQ | 用 LINQ 實現 Pivot

Here we will demo how to using LINQ implement Pivot feature in two ways, at first we need a demo data source.
這邊我們要展示如何使用LINQ實作Pivot功能,共兩個方式,首先我們需要一個示範的資料來源。

pivot_1
That table with two brand(both having two products)in four months will be use in this demo.
這個有兩個品牌(各有兩個產品)在四個月間的表格將會用在這次demo.

Friday, May 25, 2018

政府錯了,機車才是最乾淨的交通工具

[At first,這邊所謂的交通工具,定義為使用燃油(汽油、柴油)的交通工具。]

五月中時,新任總統府祕書長陳菊表示「新北市機車全台最多 汙染超過深澳電廠」,言下之意就是機車很汙染就對了。

政府每次都拿最弱勢的機車開刀早就不意外了,之前當上行政院長的賴清德「抗空汙」也是先砍機車再說,反正政府與論就是讓民眾覺得機車汙染很大,但事實真的是這樣嗎 ?

錯,在汽油車、柴油車、機車三者中,機車是最乾淨的。

平均單輛總排放來看,機車不到汽油車的二分之一,更不到柴油車的十六分之一,若只看PM2.5排放,單輛汽油車平均是機車的三倍,柴油車則是將近機車的七十八倍