Auth, OAuth, Roles, Glimpse, Home Cache, Disable Session

Author: craigbartdev

.gitignore

@@ -1,6 +1,9 @@
 ## Ignore Visual Studio temporary files, build results, and
 ## files generated by popular Visual Studio add-ons.
 
+#files that I added to hide keys
+[Cc]onfig/
+
 # User-specific files
 *.suo
 *.user

Vidly3/App_Start/FilterConfig.cs

@@ -10,6 +10,8 @@ public static void RegisterGlobalFilters(GlobalFilterCollection filters)
             filters.Add(new HandleErrorAttribute());
             //to apply Authorization globally. allow anonymous where you want unauthenticated viewers
             filters.Add(new AuthorizeAttribute());
+            //prevent access by http after enabling ssl
+            filters.Add(new RequireHttpsAttribute());
         }
     }
 }

Vidly3/App_Start/Startup.Auth.cs

@@ -6,6 +6,7 @@
 using Microsoft.Owin.Security.Google;
 using Owin;
 using Vidly3.Models;
+using Vidly3.Config;
 
 namespace Vidly3
 {
@@ -54,9 +55,10 @@ public void ConfigureAuth(IAppBuilder app)
             //   consumerKey: "",
             //   consumerSecret: "");
 
-            //app.UseFacebookAuthentication(
-            //   appId: "",
-            //   appSecret: "");
+            //use Keys from 
+            app.UseFacebookAuthentication(
+               appId: Keys.appId,
+               appSecret: Keys.appSecret);
 
             //app.UseGoogleAuthentication(new GoogleOAuth2AuthenticationOptions()
             //{

Vidly3/Controllers/AccountController.cs

@@ -6,6 +6,7 @@
 using System.Web;
 using System.Web.Mvc;
 using Microsoft.AspNet.Identity;
+using Microsoft.AspNet.Identity.EntityFramework; //import for rolestore
 using Microsoft.AspNet.Identity.Owin;
 using Microsoft.Owin.Security;
 using Vidly3.Models;
@@ -151,10 +152,24 @@ public async Task<ActionResult> Register(RegisterViewModel model)
         {
             if (ModelState.IsValid)
             {
-                var user = new ApplicationUser { UserName = model.Email, Email = model.Email };
+                //change this to use DrivingLicense
+                var user = new ApplicationUser
+                {
+                    UserName = model.Email,
+                    Email = model.Email,
+                    DrivingLicense = model.DrivingLicense,
+                    Phone = model.Phone
+                };
                 var result = await UserManager.CreateAsync(user, model.Password);
                 if (result.Succeeded)
                 {
+                    ////next block is temp code for seeding DB. use instead of Seed method
+                    ////go to app and register afterwards to add an admin role
+                    //var roleStore = new RoleStore<IdentityRole>(new ApplicationDbContext());
+                    //var roleManager = new RoleManager<IdentityRole>(roleStore);
+                    //await roleManager.CreateAsync(new IdentityRole("CanManageMovies"));
+                    //await UserManager.AddToRoleAsync(user.Id, "CanManageMovies");
+
                     await SignInManager.SignInAsync(user, isPersistent:false, rememberBrowser:false);
 
                     // For more information on how to enable account confirmation and password reset please visit https://go.microsoft.com/fwlink/?LinkID=320771
@@ -367,7 +382,15 @@ public async Task<ActionResult> ExternalLoginConfirmation(ExternalLoginConfirmat
                 {
                     return View("ExternalLoginFailure");
                 }
-                var user = new ApplicationUser { UserName = model.Email, Email = model.Email };
+                //add license and phone fields manually
+                var user = new ApplicationUser
+                {
+                    UserName = model.Email,
+                    Email = model.Email,
+                    DrivingLicense = model.DrivingLicense,
+                    Phone = model.Phone
+                };
+
                 var result = await UserManager.CreateAsync(user);
                 if (result.Succeeded)
                 {

Vidly3/Controllers/Api/MoviesController.cs

@@ -40,6 +40,7 @@ public IHttpActionResult GetMovie(int id)
         }
 
         //POST /api/movies
+        [Authorize(Roles = RoleName.CanManageMovies)]
         [HttpPost]
         public IHttpActionResult CreateMovie(MovieDto movieDto)
         {
@@ -63,6 +64,7 @@ public IHttpActionResult CreateMovie(MovieDto movieDto)
 
         //PUT /api/movies/id
         //returns 200. Customer PUT returns 204 because it is void instead of IHttpActionResult
+        [Authorize(Roles = RoleName.CanManageMovies)]
         [HttpPut]
         public IHttpActionResult UpdateMovie(int id, MovieDto movieDto)
         {
@@ -86,6 +88,7 @@ public IHttpActionResult UpdateMovie(int id, MovieDto movieDto)
         }
 
         //DELETE /api/movies/1
+        [Authorize(Roles = RoleName.CanManageMovies)]
         [HttpDelete]
         public IHttpActionResult DeleteMovie(int id)
         {

Vidly3/Controllers/CustomersController.cs

@@ -115,6 +115,7 @@ public ViewResult Index()
             //var customers = _context.Customers.Include(c => c.MembershipType).ToList();
 
             //return View(customers);
+
             return View();
         }
 

Vidly3/Controllers/HomeController.cs

@@ -3,12 +3,21 @@
 using System.Linq;
 using System.Web;
 using System.Web.Mvc;
+using System.Web.UI;
 
 namespace Vidly3.Controllers
 {
     [AllowAnonymous]
     public class HomeController : Controller
     {
+        //disable caching for action with [OutputCache(Duration = 0, VaryByParam = "*", NoStore = true)]
+
+        //add output cache for datatime in Index view
+        //time updates every 50 seconds
+        //Set location to server because it is not specific to a user
+        //can varybyparam to store different versions of page in cache depending on parameters
+        //do not prematurely optimize with VaryByParam
+        [OutputCache(Duration = 50, Location = OutputCacheLocation.Server)] //, VaryByParam = "genre")]
         public ActionResult Index()
         {
             return View();

Vidly3/Controllers/MoviesController.cs

@@ -24,6 +24,8 @@ protected override void Dispose(bool disposing)
             _context.Dispose();
         }
 
+        //authorize with roles. added the RoleName model so no magic string
+        [Authorize(Roles = RoleName.CanManageMovies)]
         public ActionResult New()
         {
             var genres = _context.Genres.ToList();
@@ -39,6 +41,7 @@ public ActionResult New()
             return View("MovieForm", viewModel);
         }
 
+        [Authorize(Roles = RoleName.CanManageMovies)]
         public ActionResult Edit(int id)
         {
             var movie = _context.Movies.SingleOrDefault(m => m.Id == id);
@@ -111,7 +114,25 @@ public ViewResult Index()
             //var movies = _context.Movies.Include(m => m.Genre).ToList();
 
             // return View(movies);
-            return View();
+
+
+            //demonstration of memory cache on genres below
+            //only use for displaying data, not modifying it
+            //if (MemoryCache.Default["Genres"] == null)
+            //{
+            //    MemoryCache.Default["Genres"] = _context.Genres.ToList();
+            //}
+
+            //var genres = MemoryCache.Default["Genres"] as IEnumerable<Genre>;
+            //return View();
+
+
+            //after adding roles we conditionally render different views
+            //get RoleName from model
+            if (User.IsInRole(RoleName.CanManageMovies))
+                return View("Index");
+
+            return View("ReadOnlyIndex");
         }
         //GET Movies/Details/Id
         public ActionResult Details(int id)

Vidly3/GlimpseSecurityPolicy.cs

@@ -0,0 +1,32 @@
+/*
+// Uncomment this class to provide custom runtime policy for Glimpse
+
+using Glimpse.AspNet.Extensions;
+using Glimpse.Core.Extensibility;
+
+namespace Vidly3
+{
+    public class GlimpseSecurityPolicy:IRuntimePolicy
+    {
+        public RuntimePolicy Execute(IRuntimePolicyContext policyContext)
+        {
+            // You can perform a check like the one below to control Glimpse's permissions within your application.
+			// More information about RuntimePolicies can be found at http://getglimpse.com/Help/Custom-Runtime-Policy
+			// var httpContext = policyContext.GetHttpContext();
+            // if (!httpContext.User.IsInRole("Administrator"))
+			// {
+            //     return RuntimePolicy.Off;
+			// }
+
+            return RuntimePolicy.On;
+        }
+
+        public RuntimeEvent ExecuteOn
+        {
+			// The RuntimeEvent.ExecuteResource is only needed in case you create a security policy
+			// Have a look at http://blog.getglimpse.com/2013/12/09/protect-glimpse-axd-with-your-custom-runtime-policy/ for more details
+            get { return RuntimeEvent.EndRequest | RuntimeEvent.ExecuteResource; }
+        }
+    }
+}
+*/