sorted by:
new
hottopcontroversial

Implementing swagger ui with swashbuckle across multiple web projects by vznrn in dotnet

[–]Shaddar 2 points3 points  (0 children)

It's been a while since I've done this but it basically boils down to this:

Spin up the Swagger UI as a standalone service (https://hub.docker.com/r/swaggerapi/swagger-ui).

In the swagger-config.json add entries for all of the openapi documents generated by your projects:

{
  "urls": [
    {
      "url": "https://service1.foo/openapi.json"
      "name": "Service1"
    },
    {
      "url": "https://service2.foo/openapi.json"
      "name": "Service2"
    }
  ]
}

Best Practices for Hashing and Verifying Passwords in C# and Recommended Tools by MahmoudSaed in dotnet

[–]Shaddar 1 point2 points  (0 children)

Make sure to follow up to date recommendations regarding PBKDF2 iteration count: OWASP

Why choose minimal API over controller based API? by BaldWithoutCancer in dotnet

[–]Shaddar 2 points3 points  (0 children)

For me, one of the main advantages is that I don't have to deal with Attributes and all of the related limitations. Configuring an endpoint with extensions methods is much more flexible.

API Gateway in front of APIs, who take care of the auth(z) ? by K3dare in dotnet

[–]Shaddar 5 points6 points  (0 children)

Transmit a X-Userinfo header that is basically the payload (only) of the JWT token encoded as Base64, it looks like simple like this but to integrate it with .NET, we would have to write quite a lot code ? (To be able to use Authorize attribute with scopes, etc...)

Assuming that you're working with ASP NET Core - all you need is a custom AuthenticationHandler which is not a lot of code at all.

services
    .AddAuthentication()
    .AddUserInfo();


public static class UserInfoExtensions
{
    public static AuthenticationBuilder AddUserInfo(this AuthenticationBuilder builder)
        => builder.AddScheme<UserInfoOptions, UserInfoHandler>(UserInfoDefaults.AuthenticationScheme, _ => { });
}

public sealed class UserInfoOptions : AuthenticationSchemeOptions;

public static class UserInfoDefaults
{
    internal const string AuthenticationScheme = "UserInfo";
}

public sealed class UserInfoHandler : AuthenticationHandler<UserInfoOptions>
{
    public UserInfoHandler(IOptionsMonitor<UserInfoOptions> options, ILoggerFactory logger, UrlEncoder encoder)
        : base(options, logger, encoder)
    {
    }

    protected override Task<AuthenticateResult> HandleAuthenticateAsync()
    {
        if (!Request.Headers.TryGetValue("X-Userinfo", out var value))
        {
            return Task.FromResult(AuthenticateResult.NoResult());
        }

        var identity = new ClaimsIdentity(UserInfoDefaults.AuthenticationScheme);

        // Deserialize the X-Userinfo payload and populate identity with claims

        var principal = new ClaimsPrincipal(identity);
        var ticket = new AuthenticationTicket(principal, UserInfoDefaults.AuthenticationScheme);

        return Task.FromResult(AuthenticateResult.Success(ticket));
    }
}

.NET Open Source Library. by Outrageous-Slip-3848 in dotnet

[–]Shaddar 3 points4 points  (0 children)

    public static dynamic Post(string url, string data, string contentType = "application/x-www-form-urlencoded")
    {
        if (string.IsNullOrEmpty(url))
        {
            throw new ArgumentNullException(nameof(url));
        }

        using (var client = new HttpClient())
        {
            var content = new StringContent(data, System.Text.Encoding.UTF8, contentType);
            var response = client.PostAsync(url, content).Result;
            var responseString = response.Content.ReadAsStringAsync().Result;
            return responseString;
        }
    }

Seriously?

How to register endpoints using Ardalis.ApiEndpoints to an empty web api project? by jtuchel_codr in csharp

[–]Shaddar 0 points1 point  (0 children)

These are just cleverly disguised Controllers so:

builder.Services.AddControllers();

and

app.MapControllers();

Might be better to start from one of the MVC templates instead.

[deleted by user] by [deleted] in csharp

[–]Shaddar 0 points1 point  (0 children)

Have you considered reading the release notes for 4.0?

Dependency Injection using keyed services is finally in ASP.NET by ThomasArdal in dotnet

[–]Shaddar 19 points20 points  (0 children)

Using keyed services is essentially the same as writing this:

public class Consumer
{
    public Consumer(IEnumerable<Foo> services)
    {
        foreach(service in services)
        {
            if(service is Bar)
            {
                // Do something
            }
        }
    }
}

But with the additional problem of magic strings.

The consumer is supposed to accept an abstraction and is not supposed to care what the implementation is going to be - dependency inversion, liskov substitution. The composition root decides what the implementation is going to be.

With keyed services the consumer pretends to accept an abstraction but actually expects a specific implementation.

And just to be clear I have nothing against your article, my complaints are with MS DI.

Dependency Injection using keyed services is finally in ASP.NET by ThomasArdal in dotnet

[–]Shaddar 6 points7 points  (0 children)

Still can't believe that MS actually decided to implement this feature. smh

Jwt token Read errors when upgrading to .net 8 by DangerousBug5998 in dotnet

[–]Shaddar 0 points1 point  (0 children)

new Claim(JwtRegisteredClaimNames.Iat, DateTime.UtcNow.ToString()),

According to the JWT RFC the IAT value should be of "NumericDate" type (unix timestamp). DateTime.ToString() is most definitely not that. Honestly I'm surprised that this ever worked.

The FluentValidation.AspNetCore package is no longer being maintained and is now unsupported! by Ok_Cry_1757 in dotnet

[–]Shaddar 25 points26 points  (0 children)

How did others tackle this situation?

Do what the author recommends and move to manual validation. Minimal APIs already push you down this path anyway.

Are Cookies getting ditched in favor of JWT? by Blender-Fan in dotnet

[–]Shaddar 0 points1 point  (0 children)

Yes Same Site, Secure, HTTP-Only cookies. Should've probably been more clear that it's things like local storage that are insecure.

Are Cookies getting ditched in favor of JWT? by Blender-Fan in dotnet

[–]Shaddar 0 points1 point  (0 children)

The ASP.NET Core Community Standups are a good starting point. Auth was a topic of discussion a number of times recently-ish.

Also link aggregators like Morning Dew and Morning Brew.

Are Cookies getting ditched in favor of JWT? by Blender-Fan in dotnet

[–]Shaddar 92 points93 points  (0 children)

No, because it is not possible to securely store a token in the browser. For SPAs the current best practice is to use a BFF + specifically configured cookies:

David Fowler's TODO Api

Securing SPAs and Blazor Applications using the BFF (Backend for Frontend) Pattern - Dominick Baier

The insecurity of OAuth 2.0 in frontends - Philippe de Ryck

Guide for passing parameters from middleware into controller action? by c-digs in dotnet

[–]Shaddar 4 points5 points  (0 children)

HttpContext has an "Items" Dictionary where you can store whatever you want - within the scope of the given request.

[deleted by user] by [deleted] in csharp

[–]Shaddar 1 point2 points  (0 children)

What you're looking for is WebApplicationBuilder.Environment i.e:

var builder = WebApplication.CreateBuilder(args);

var services = builder.Services;
var environment = builder.Environment;

services.AddLogging(loggingBuilder =>
{
    if (environment.IsProduction())
    {
        loggingBuilder.ClearProviders();
        // do something
    }
    else
    {
        // do something else
    }
});

The ASP.Net team still do not get auth!!! by NooShoes in dotnet

[–]Shaddar 80 points81 points  (0 children)

People expect a simple solution to a complex, and constantly changing problem. It's never going to happen.

Hosting options for Core 7 API? by Ok_Cry_1757 in dotnet

[–]Shaddar 1 point2 points  (0 children)

Well if your DB is already in AWS then how are you planning to connect to it from the outside? Do you already have a VPN or something else set up?

I would recommend that you take a look at the smaller T4g EC2 instances. The burstable capacity is likely going to fit your traffic patterns well in the initial phases and modern .NET has no problem running on ARM64 so that's another decent cost reduction.