Access control in serverside Blazor

I like Blazor, and I like Razor and ASP stuff. I’ve been coding stuff in it for a while but I refuse to learn about their built in authorization APIs. I come from the world of PHP where cookie/session management was always really handled manually, so I always feel more comfortable handling all this myself.

So here’s how I do my own access control without using their whole AuthorizeRouteView stuff, here’s an example App.razor.

@using System.Reflection;

<Router AppAssembly="@typeof(Program).Assembly">
    <Found Context="routeData">

        @{
            //
            // If the page has an [AdminOnly], only let them see it if they're an admin
            //
            if (routeData.PageType.GetCustomAttributes<AdminOnlyAttribute>().Any() && !SessionInfo.IsAdmin )
            {
                <LayoutView Layout="@typeof(MainLayout)">
                    <h1>404 - not found</h1>
                    <p>Sorry, there's nothing at this address</p>
                </LayoutView>
                return;
            }

            if ( SessionInfo.IsBanned )
            {
                 <LayoutView Layout="@typeof(MainLayout)">
                    <h1>Ya Banned</h1>
                    <p>Sorry, you're banned from this site. You must have done something really bad. Or was it your cousin?</p>
                </LayoutView>
                return;
            }
        }

        <RouteView RouteData="@routeData" DefaultLayout="@typeof(MainLayout)" />
  
    </Found>
    <NotFound>
        <LayoutView Layout="@typeof(MainLayout)">
            <h1>404 - not found</h1>
            <p>Sorry, there's nothing at this address.</p>
        </LayoutView>
    </NotFound>
</Router>

So in the above example SessionInfo is my custom service for managing user session. What you can see is that routeData contains a PageType. That’s the Type of the component it’s going to load.

So you can use that type to check for this. Like in this instance we’re checking to see if it has an [AdminOnly] attribute. If it has and the current session isn’t an admin, then it throws up a fuck off screen.

FYI AdminOnly is a custom attribute I added, but you can see that you can put any kind of logic here. Like below I see if the user is banned, and if they are then I show another fuck off screen.

4 Comments

  1. Hmm, I never worked with Blazor for web dev before, but it looks interesting coming from a PHP standpoint. How is it been treating you?

    1. Alex says:

      I use it at work and we’ve been moving this abomination of an application written entirely in javascript/php over to it and its been nice. It’s definitely not a complete solution though. There are still things that are significantly easier to do in javascript/jquery than they are via blazor. 95% of things can be moved to the blazor back-end/code-behind which has been really nice.

  2. Alex says:

    php needs to die lmao

  3. MaZy says:

    Omg I recently started with asp.net core + blazor and felt in love very quickly. I had the same effect when I was switching from c++ to c#. Same feeling.

    But, yes! I have same problem with the authorization. Actually it is really nice but I also come from php and nodejs express (my portofolio page was made with nodejs with .yaml files for my posts). So to control it “manually” it feels comfortable.

Leave a Reply