List of Posts
This is the complete list of categories of posts written during Aug 2022. They have been ordered by the publish date, with the most recent first.
- Published: 02-Aug-2022Social media based authentication requires us to create an oauth app on a social media platform such as google, facebook, twitter, github. This app provides us a client id and a client secret key for use in various classes that provide social media integration. In this tutorial we have a walkthrough for creating an oauth app on the google cloud console. Steps for other social media are similar - so you can take them as an exercise.
- Published: 03-Aug-2022Social media based login provides a neat and user-friendly means of logging into your website. Users are more likely to trust this method because of the level of security provided by various social media platforms. It helps us simplify the sign-in process by delegating many complexities to social media platforms. In this tutorial we present a project that requires a user to login with his google account. Once he logs in, then he is shown his email-id, name and profile picture. We also explain persistence of cookie, i.e., how the user can be remembered, and also the signout scheme.
- Published: 05-Aug-2022WebApi can be protected through social media authentication also. The first step is to obtain a client id and a client secret by creating an app on a social media platform. Then these values are used to configure authentication services for that platform. In this tutorial we present the sequence of steps required to gain authorization to a web api protected by google authentication.
- Published: 11-Aug-2022We shall run two ASPNET Core apps concurrently - the first exposes a web API, whereas the other shows a web page containing two links - the first of these links causes a direct call to the web API, and the second fires an ajax based call through javascript. A direct call is not a cross-origin (CORS) call because its destination is visible in the browser, but a call that occurs through an invocation of XMLHttpRequest or fetch API is a cross-origin (CORS) call. We shall verify that a click on the first link succeeds, but the second link fails because a browser blocks cross-origin calls.
- Published: 12-Aug-2022In the previous tutorial, we demonstrated how a browser blocks cross-origin calls. So you must surely be wondering why cross-origin requests to CDN-hosted CSS files and fonts succeed. What's behind that success? Why do browsers permit some requests and block others? In this tutorial, we examine the reasons behind this. It will help us allow cross-origin requests in our ASPNET Core apps!
- Published: 16-Aug-2022An ASPNET Core application can permit cross-origin requests by adding "Access-Control-Allow-Origin" header to the HTTP response. Cross-origin requests are not allowed by default; they must be allowed explicitly. One way of doing it is by defining a suitable policy in the application pipeline. In this tutorial, we learn the steps required for this. We shall also learn how to define multiple policies so that each end-point can serve requests to its own set of origins.
- Published: 18-Aug-2022Static files are NOT accessible cross-origin if we call UseStaticFiles before UseCors. But if we reverse the order, every static file becomes accessible to permitted origins. So we have an all-or-none type of situation. CORS can either be disabled for every static file or disabled for none. This tutorial explains how to enable CORS for just a small subset of files, as done by the various CDN networks.
- Published: 21-Aug-2022Browsers consider some cross-origin requests as unsafe. For example, an HTTP PUT request is considered unsafe. A browser first queries the server if it accepts that type of verb or request or headers by sending an HTTP OPTIONS request, which is called a preflight request. In this tutorial, we learn some concepts regarding preflight requests.
- Published: 22-Aug-2022In this tutorial, we learn how to set a CORS policy that will respond to a pre-flight OPTIONS request. This policy will specify the list of acceptable request headers, a list of acceptable HTTP methods and a duration value for the Access-Control-Max-Age header.
- Published: 24-Aug-2022By default, a browser doesn't send authentication cookies with cross-origin requests. It sends cookies only if the javascript code sets a property called "credentials" to true or "include." But that's not the whole story. The server-side code must also set an "AllowCredentials" cross-origin policy so that it can respond with a header called "Access-Control-Allow-Credentials." If the browser doesn't receive this header, it logs a cross-origin failure even if the origin is white-listed on the server. Thus, it is a matter of writing the javascript code correctly, and configuring the cross-origin policy that signals the browser that cross-origin cookies are allowed. This polocy will not work if wild-cards are used in the "WithOrigins" function, or "AllowAnyOrigin" function has been used.
- Published: 25-Aug-2022In this tutorial, we have two applications - the first is an ASPNET Core application that implements a CORS policy to accept cookies from the second application. The second application makes a javascript request to the first application and sends a cookie. The first application then reads the cookie and echoes back the contents of that cookie, which are presented by the browser through a javascript alert box. The source code of both the projects is provided in the attached downloads.
- Published: 31-Aug-2022If a function consists of only one statement or expression, then the braces and the return keyword could be redundant. Thus, we can simplify such functions by removing the braces and the return keyword. The result is that the overall look of the function becomes simplified, and it becomes easier to read. Functions, properties, operators, and indexers that use this syntax are called expression-bodied members.