❔ Massive issue with Authentication
So im trying to add server password handling but instead of making my own handler im forced to implement some AuthenticationHandler for it, which I did, but now the AuthenticateResults aren't even being given to the request user so its useless, and the Authentication Checks are being ran on every Endpoint instead of the ones i added [Authorize(myStuff)] into, and i have no idea what to do
Program.cs:
92 Replies
my Handler:
I'm a bit confused, what do you mean by "Server Key Authentication"? What is the expected behavior?
You mean like an api key?
No it's more like
The server can have a password and if a user sends the password to the server via POST request, they get a server key which allows them to use the other endpoints
The expected behavior is:
Password correct: it continues the request
Password missing: 403
Password Wrong: 401
So there are public endpoints and secured endpoints. One of the public endpoints is basically an authentication and this authentication is password-only?
Basically yds
Yes
Any reason on why you don't want to use a JWT?
And I want only certain endpoints to be affected by this which is why I use [Authorize]
What's that
oh
You're never messed with auth before?
JWT.IO - JSON Web Tokens Introduction
Learn about JSON Web Tokens, what are they, how they work, when and why you should use them.
Do you know when you login to a website
and they give you an
accessToken?And also the error result of the key challenge stuff doesn't return to the user it just leaved it blank
Yes
It is usually a JWT, this JWT contains the user's data and gives him access to protected endpoints
Closest thing I ever gotten to auth is discord auth stuff
I mean my system would work perfectly fine the only issue is that my function is somehow invoked on all endpoints even the ones that don't even exist
And it won't send a body to the user
You are in the right path, you made your own handler and added authentication
Did you by any chance add it as a middleware?
The only Middleware I have is a request counter
I tried to add the body manually but then it just displayed
{my Error Body}{my actual response body}
On public endpoints that require nothing
It's really weird that it's triggering for every request
But honestly if I were you I'd just use the JWT support
Should work out of the box
The only thing you'd implement is part of the JWT generation
but the thing is id probably have to recode a lot
Not really
Let me show you an example
could i still use some [Attribute] to declare this function to require the password?
yes you'd use
[Authorize] in the controller endpointsbut wouldnt JWT be a little overkill for it?
Why would it
i dunno
as far as ik its for validating request signitures
It validates the token the user provides to know whether it is a valid token generated by a trusted issuer or not
but you don't do any of that
There is already microsoft libraries that do that for you "out of the box"
hm
1. You basically just add
Microsoft.AspNetCore.Authentication from Nuget to your project.
2. Call AddAuthentication as following:
You have to provide it a secret key, you should store it safely, either through dotnet secrets or a secret manager. For your specific scenario, you don't have to worry about ValidateIssuer or ValidateAudience, if you want to learn more about it, I'd just try watching an youtube video on it or reading some material.
3. After you've done that, go to your Program.cs and register the AddAuthentication and AddAuthorization middlewares before the MapControllers.
4. Last step would be having some sort of Login endpoint where you'd call your login logic, and if the password is valid, you'd generate a JWT for that specific user, or just a JWT that gives the user access to the api. There are a variety of ways to do so, like this one for example:
And you'd return this JWT for the user to use in the headers of each request. With an Authorization: Bearer <token>
This is just to show you how you'd add JWT to your project
If you want to learn more about it and how it works and what you can do with it
I'd suggest reading about it somewhere or in the link I showed u
and searching for aspnetcore specific stuff to know the implementation details
As for why this gets triggered on every request
I have no fucking clue
You sure it triggers even on controllers that don't have the Authorize attribute?yes
wait
1. No error on the endpoint that should have it, 2. Tested on an endpoint that doesnt require authentication and it still challenges
on first image you also see that the API just returns nothing instead of an error
Yeah I just tested your code
I have no clue as for why it triggers for every request
does it trigger for every request for you too?
Yes
maybe it expects you to write the logic
to decide when to trigger or not
I'd honestly just use the jwt solution
ye
Stack Overflow
Custom AuthenticationHandler is called when a method has [AllowAnon...
I am trying to have my own custom authentication for my server. But it is called for every endpoint even if it has the [AllowAnonymous] attribute on the method. With my current code, I can hit my
weird behavior but designed to work like that
so what do i do abt it
its stupid that im being forced into using this even tho my old one did just that and wouldve worked
[HttpGet("generate")]
[Authorize(AuthenticationSchemes = "serverPass")]
public IActionResult generateAccount()
this is how i do the stuff
that should be correct tho right?
You can validate whether the Authorize attribute is present
wdym
1sec im in a meeting
alright 
So, basically, you could modify your handler to look something like this:
@fabiogaming do you call
RequireAuthorization() anywhere in your program.cs? that would apply your auth on all endpointsI don't think so
All the code related to it is the one I sent here
can you share all of the middleware pls?
we only see Building, up to Running pls
Sure
this is the only real middleware i use
I meant all of your program.cs when I saaid middleware
oh
I've been through that already
ye sure
Read this
good idea
ill try it
AuthenticationHandler<T> is designed to work that way
It'll intercept any request no matter whether or not it has the Authorize attribute
I suppose it works that way to allow people to completely customize the authentication and authorization experience
@fabiogaming But honestly
Why not jwt my manI see, sorry for not following along
i dunno im not a fan of using third parties unless its really needed and if theres no other way around
i always write everything from scratch
You gotta know when to recurr to thir parties or not
There isn't really a rule and it isn't bad to use third party libraries
Even tho the JWT one is from aspnetcore itself
to me this is abt full control
do it like me, call
AddMicrsoftIdentityWebApiAuthentication() and call it a day 😄You know that by creating an aspnetcore webapi you're already using third party libraries right?
yes
but since its a dotnet / visual studio preset i dont rly count them
well the jwt package I linked is an official one aswell
but meh
this seems to work
now the last issue is, that i dont receive those expected errors in the request console
You mean the AuthenticationResult.Fail?
this for example is still null
ye
i tried a bodywriter but that went horribly wrong as it just stacked it onto everything as was being received as a stream or smth and not a string
I'm not following
You're complaining that you ain't getting anything from the curl request?
Normally it should tell me that I'm missing the server key
Yes
do a curl -I link
Wait
or a curl -i idk which one
You're getting a 401
yes
but no body
its supposed to return the Failure Message in the actual response body
It's not supposed to, that's what you want, but I get your point
lemme see
everything else now seems to work now
Try the
HandleChallengeAsync or the HandleForbiddenAsync
override those methods and use the WriteResponseAsynchow would i do that
i think i found it
System.InvalidOperationException: "StatusCode cannot be set because the response has already started."
another meeting
aight
so
Don't set the StatusCode
use the HandleChallengeAsync and the HandleForbiddenAsync
To write to the response body
they will handle the status code iirc
i removed the status code setting
(btw side question, is there a way to get all endpoints and their type? I want to make a small automatically generated documentation on the root URL)
you know that swagger does that for you right
Don't call the base. anymore
ye i just did that
it now works
check the status code
just to make sure its correct
ye its 200 but im changing it rn
it now all works
.
and congrats
yee
i remember
anyways, thanks for your help
np
Was this issue resolved? If so, run
/close - otherwise I will mark this as stale and this post will be archived until there is new activity.