Authentication in OnPrepareResponse #181
Comments
|
OnPrepareResponse is not a good place to perform authorization. This event only lets you tweak the response before sending it, you cannot prevent the response (except by throwing). Issue tracking this feature: #70 The best way to handle this right now is to move to an MVC controller that matches your path, checks Authorization, and sends the file. @blowdart do you have a ready example for this? |
|
Closing, dup of #70 |
|
Nope, it'd just be returning a FileStreamResult with the appropriate mime type though. |
|
Is it a bad idea to just check if the identity cookie is set? Like |
|
You can't do authorization here, the file is still sent, just with a 401 status code. |
|
And that doesn't check anything except that a cookie, any cookie has the right name. You can't do what you want using the static files middleware. |
|
Honestly this isn't what static files is meant for. I wouldn't try to push auth into it, you're venturing far into unsupported territory and doing that when you want security is a bad idea, and will make kittens cry. |
|
I'll write a proper Authorized MVC Controller sample for static files when I get a chance. |
|
It will be easier to emulate the static file middleware features in MVC after aspnet/Mvc#6150 |
|
@Tratcher Do you have an example of this?
|
|
@lumogox no, I should do that... Filed aspnet/AuthSamples#28. |
|
@Tratcher Great!, let me know if you have a quick example that I can look. Thanks! |
|
I'm sorry I ever recommended using MVC for this, it is not a good fit. See dotnet/aspnetcore#2457 (comment) for discussion and an alternate sample using middleware and pipeline branching. |
Hi,
I want some of my static files only accessible when I'm authenticated/logged in. Unfortunately, the user's identity inside the HttpContext of the StaticFileResponseContext isn't filled. Is there a way to enable the authentication?
The text was updated successfully, but these errors were encountered: