devdeer.Libraries.Repository.EntityFrameworkCore.Authorized 13.0.0

devdeer.Libraries.Repository.EntityFrameworkCore.Authorized

Disclaimer

If you want to use this package you should be aware of some principles and practices we at DEVDEER use. So be aware that this is not backed by a public repository. The purpose here is to give out customers easy access to our logic. Nevertheless you are welcome to use this lib if it provides any advantages.

Summary

The purpose of this package is to simplify and standardize the process of performing HTTP context user detection and automated role management for an API using Azure AD and a backend using EF Core code first.

Using this package automatically leads to changes in the database structure. Again be aware that this is completely built around the standards of DEVDEER.

Usage

After you added a Nuget reference to your project you should first inherit your DbContext from SimpleAuthorizationContext instead of DbContext. This will add some additional logic to your context which is needed to work with the repository.

public class MyContext : SimpleAuthorizationContext
{
     public MyContext(DbContextOptions dbContextOptions,
        IOptions<EntityFrameworkAuthorizationOptions> authorizationOptions) : base(dbContextOptions, authorizationOptions)
     {
     }

}

You should now take care about your settings. In the appsettings.json there should be a new setting:

"EfCoreAuthorization": {
    "IsEnabled": true,
    "AutoCreateNewUsers": true,
    "AutoCreateRoleKey": "GUE",
    "UseCaching": true,
    "CacheTimeoutSeconds": 1800,
    "RequiredRoles": [
        {
            "Id": 1,
            "ParentId": null,
            "UniqueKey": "GUE",
            "DisplayLabel": "Guest"
        },
        {
            "Id": 2,
            "ParentId": 1,
            "UniqueKey": "USR",
            "DisplayLabel": "User"
        },
        {
            "Id": 3,
            "ParentId": 2,
            "UniqueKey": "ADM",
            "DisplayLabel": "Administrator"
        }
    ]
}

The code above shows kind of the default configuration. It enables the authorization using this package and ensures that users always will be automatically created whenever they "arrive" at the API as bearer tokens. For this it will use a role assignment with the key specicfied which in turn must be one of the unique keys you specified in the RequiredRoles section. The UseCaching option switches memory caching of users on using the CacheTimeoutSeconds as timeout.

The RequiredRoles section is used to define which roles should be available in the database. The ParentId allows you to create a hierarchy here. In the sample shown all admins will be members of users als which in turn are always implcitly members of the guest.

If you are using EF Core migrations using the IDesignTimeDbContextFactory pattern you need to ensure that this is passed to your context instance there as follows:

public MyContext CreateDbContext(string[] args)
{
    var options = new DbContextOptionsBuilder<MyContext>().UseSqlServer(
            "CONNECTIONSTRING",
            o =>
            {
                o.MigrationsHistoryTable("MigrationHistory", "SystemData");
                o.CommandTimeout(3600);
            })
        .Options;
    return new MyContext(
        options,
        Options.Create(
            new EntityFrameworkAuthorizationOptions
            {
                AutoCreateNewUsers = true,
                AutoCreateRoleKey = "GUE",
                RequiredRoles = new RoleModel[]
                {
                    new()
                    {
                        Id = 1,
                        UniqueKey = "GUE",
                        DisplayLabel = "Guest"
                    },
                    new()
                    {
                        Id = 2,
                        ParentId = 1,
                        UniqueKey = "USR",
                        DisplayLabel = "User"
                    },
                    new()
                    {
                        Id = 3,
                        ParentId = 2,
                        UniqueKey = "ADM",
                        DisplayLabel = "Administrator"
                    }
                },
                IsEnabled = true
            }));
}

Also make sure, that your MyContext override of OnModelCreating calls the parents method in any case:

/// <inheritdoc />
protected override void OnModelCreating(ModelBuilder modelBuilder)
{
    base.OnModelCreating(modelBuilder);
    // your code here
}

Afterwards you need to create a new migration if you are using code first:

dotnet ef migrations add "AuthorizationStructure"
dotnet ef database update

Whereever you are performing application startup is the place where you now generate 3 implementations:

public class DefaultAuthorizationMiddlewareResultHandler : BaseSimpleAuthorizationMiddlewareResultHandler<MyContext>
{
    #region constructors and destructors

    /// <inheritdoc />
    public DefaultAuthorizationMiddlewareResultHandler(
        AuthOptions authorizationOptions,
        IAuthorizedUserRepository<long, User, Role, UserRole, UserModel> repository) : base(
        authorizationOptions,
        repository)
    {
    }

    #endregion
}

public class DefaultAuthorizedUserRepository : BaseSimpleAuthorizedUserRepository<MyContext>
{
    #region constructors and destructors

    /// <inheritdoc />
    public DefaultAuthorizedUserRepository(
        IServiceProvider serviceProvider,
        MyContext dbContext,
        IMapper mapper) : base(serviceProvider, dbContext, mapper)
    {
    }

    #endregion
}

public class DefaultRolesAuthorizationHandler : BaseSimpleAuthorizationHandler<MyContext>
{
    #region constructors and destructors

    /// <inheritdoc />
    public DefaultRolesAuthorizationHandler(
        IAuthorizedUserRepository<long, User, Role, UserRole, UserModel> repository) : base(repository)
    {
    }

    #endregion
}

Now you can call the DI configuration using these types:

builder.Services
    .ConfigureAuthorizationDefaults<DefaultAuthorizationMiddlewareResultHandler, DefaultRolesAuthorizationHandler,
        DefaultAuthorizedUserRepository, MyContext>();

To test this you could add a simple controller like

[ApiController]
[Authorize]
[ApiVersion("1.0")]
[Route("api/v{version:apiVersion}/[controller]")]
public class UserController : ControllerBase
{

    public UserController(ISimpleAuthorizedUserRepository repository)
    {
        Repository = repository;
    }

    [HttpGet("Me")]
    [Authorize(Roles = "GUE")]
    public async ValueTask<ActionResult<UserModel?>> GetAsync()
    {
        var userData = await Repository.GetOrCreateUserAsync();
        return Ok(userData);
    }

    [Injected]
    private ISimpleAuthorizedUserRepository Repository { get; } = default!;
}

If you call this method in an authorized session it should automatically detect the context user and create a new entry in the default role in your database.

About DEVDEER

DEVDEER is a company from Magdeburg, Germany which is specialized in consulting, project management and development. We are very focussed on Microsoft Azure as a platform to run our products and solutions in the cloud. So all of our backend components usually runs in this environment and is developed using .NET. In the frontend area we are using react and a huge bunch of packages to build our UIs.

You can find us online: