We often use GitHub to create a compare view, and list pull requests (PRs) for releases. However, GitHub limits the number of commits you...
Documentation GitHub GitUsing our Hugo-based documentation site, we typically publish release notes once per week. My usual process includes the following: M...
Documentation Hugo ArchetypesAs someone who basically gets by when it comes to writing Javascript, I tend to look at things from a “I bet I could do this with CSS” st...
CSS SCSS Mobile UX UI/UX frontendThis is an updated post of the original here. Whether you’re new to the frontend at RIMdev or looking for more about our Frontend team...
Team RIMdev FrontendIf you’ve ever worked in Azure Data Studio, you may find tab colors very useful. They allow you to visually separate different connectio...
Documentation Azure Data StudioIf you’re not familiar with Platform UI, it’s a utility rich CSS framework we created. As we look to migrate all of our apps and static ...
UI UX CSS SassGet ready to celebrate because, as of Friday, September 18, 2020, Evan You, creator of Vue.js, announced Vue 3 is officially released. He...
vue3 frontend developmentIf you have used slots in Vue, you know that it provides a clean way to vary content that is displayed in child components. For example, ...
VueJS Slots Scoped Slots JavaScriptWe’ve been using Swagger via Swashbuckle for some time with our ASP.NET Full Framework applications. As we’re moving toward ASP.NET Core ...
asp.net coreWe’ve spotted some strange behavior before with ASP.NET Core and JSON serialization/deserialization, and I eventually made it back to try...
asp.net coreWe’ve spotted some strange behavior before with ASP.NET Core and JSON serialization/deserialization, and I eventually made it back to try...
asp.net coreAs we create CSS components in our internal framework, we typically try to use little if no JS. Our tooltips should be no different. We...
UI/UX frontend CSS Responsive DesignImagine you’re using Elasticsearch with your strongly typed C# models and nameof(MyProperty) and wondering why it doesn’t work. Turns out...
.NETI have been working as a software developer for almost three years, the most common exception or bug I made is NullReferenceException -Sy...
.NET C#Testing is an important step we can take as developers to reduce bugs in our code, but testing seems to be one of the best practices that...
Vue.js Jest TestingLast week I attended the annual user experience conference Convey UX in Seattle, where 50 UX leaders from all over the world shared their...
UI/UX frontend conference conveyux2020 conveyuxWe run a number of web applications at Ritter Insurance Marketing. Our primary datastore for these applications is MSSQL / SQL Azure. Our...
SQLWe’ve been working through upgrading our core applications from ASP.NET full framework to ASP.NET Core. Over the years we’ve assembled an...
.NETConfigurationManager has long been used by .NET Framework developers prior to .NET Core to access things like app settings and connection...
.NETTypically with ASP.NET Core 3.1 when no specific authorization requirements are set all endpoints are publicly accessible. When you’re working with an authenticated required system the burden is on the developer to remember to use [Authorize] attributes everywhere appropriate. This can lead to bugs by omission – and, could result in a serious data breach.
For a safe-by-default experience, we can require authentication when no specific instructions are set.
namespace MyWebApplication
{
public class Startup
{
private static readonly string PublicAuthorizationPolicy = "PublicPolicy";
public void ConfigureServices(IServiceCollection services)
{
services.AddRouting();
services.AddAuthentication();
services.AddAuthorization(options =>
{
options.AddPolicy(
PublicAuthorizationPolicy,
new AuthorizationPolicyBuilder()
.RequireAssertion(_ => true)
.Build());
options.FallbackPolicy = new AuthorizationPolicyBuilder()
.RequireAuthenticatedUser()
.Build();
});
}
public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
app.UseRouting();
app.UseAuthentication();
app.UseAuthorization();
app.UseEndpoints(endpoints =>
{
// Allow public access for a health check
endpoints.MapHealthChecks("/_health")
.RequireAuthorization(PublicAuthorizationPolicy);
// Everything that doesn't explicitly allow
// anonymous users requires authentication.
endpoints.MapControllers();
});
}
}
}
At least one assertion is required when configuring an auth policy. We can satisfy this requirement while enabling public access via RequireAssertion(_ => true) – always allow everyone.
Safe-by-default authentication and authorization is a good strategy, especially when the consequences for making a mistake are severe. We can make ASP.NET Core 3.1 safe-by-default by authenticating all requests by default, while still maintaining a way to create public endpoints as needed. With public endpoints explicitly defined mistakes can’t be made by forgetting to do something.
