How can I protect an asp.net core middleware with cookies?

Question

I would develop an ASP.NET Core web API that redirects received HTTP API after cookie authentication.

Below my Startup.cs file:

using Microsoft.AspNetCore.Authentication.Cookies;
using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Builder;
using Microsoft.AspNetCore.Hosting;
using Microsoft.AspNetCore.Mvc;
using Microsoft.AspNetCore.Mvc.Authorization;
using Microsoft.Extensions.Configuration;
using Microsoft.Extensions.DependencyInjection;
using MyProject.Middlewares;

namespace MyProject.Backend
{
    public class Startup
    {
        public Startup(IConfiguration configuration)
        {
            Configuration = configuration;
        }

        public IConfiguration Configuration { get; }

        // This method gets called by the runtime. Use this method to add services to the container.
        public void ConfigureServices(IServiceCollection services)
        {
            services.AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme).AddCookie();
            services.AddTransient(typeof(ReverseProxyMiddleware));
        }

        // This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
        public void Configure(IApplicationBuilder app, IHostingEnvironment env)
        {
            if (env.IsDevelopment())
            {
                app.UseDeveloperExceptionPage();
            }
            else
            {
                app.UseHsts();
            }

            app.UseCookiePolicy();
            app.UseAuthentication();
            app.UseHttpsRedirection();
            app.UseReverseProxyMiddleware();
        }
    }
}

And below my middleware:

using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Http;
using System;
using System.Threading.Tasks;

namespace MyProject.Middlewares
{
    public class ReverseProxyMiddleware : IMiddleware
    {
        [Authorize]
        public async Task InvokeAsync(HttpContext context, RequestDelegate next)
        {
            // HTTP redirection...
        }
    }
}

Actually, if I try to perform an HTTP request without cookie I obtain 200 results. How can I protect my middleware?

Thanks

APIs don't use cookie auth. You should have an endpoint to authenticate, which returns an access token, which you would then pass to each further request via the `Authorization` header. — Chris Pratt, Jul 05 '18 at 15:49
Hi Chris, I would not pass directly access token because the client is a SPA (I would not expose access_token). — ilMattion, Jul 05 '18 at 15:52
You wouldn't be exposing it, unless you wrote it directly to the page (which you should not do). Regardless, the access token would have an expiry, and you can also implement CSRF, since it's a SPA to ensure that all requests originate from a page on your site. — Chris Pratt, Jul 05 '18 at 15:56
Hi Chris, another reason that I would not send directly the access_token is that I would implement OAuth 2.0 *authorization_flow*. — ilMattion, Jul 06 '18 at 08:09
You should not apply the `AuthorizeAttribute` to any middleware, it is applicable to actions or controllers. Doc says: "Filters run within the MVC action invocation pipeline, sometimes referred to as the filter pipeline. The filter pipeline runs after MVC selects the action to execute.". And best of all -- do not implement your own auth, use existing instead. The following case looks pretty similar to what you have: https://stackoverflow.com/questions/41577389/net-core-api-conditional-authentication-attributes-for-development-production — d_f, Jul 06 '18 at 10:37
The link on the filters pipeline explanation: https://learn.microsoft.com/en-us/aspnet/core/mvc/controllers/filters?view=aspnetcore-2.1 — d_f, Jul 06 '18 at 10:39

How can I protect an asp.net core middleware with cookies?

0 Answers0