Authorization in API and Hangfire dashboard issue

[Woselko]

First of all, I would like to say great thank you for creating this template. It helps a lot for building apps.

Im creating monitoring system with rasperry pi 5.
I need to implement some background tasks and hangfire dashboard.

`

    var app = builder.Build();

    app.UseHangfireDashboard("/hangfire", new DashboardOptions
    {
        Authorization = new[] { new DashboardAuthorizationFilter() }
    });

    RecurringJob.AddOrUpdate("DataCollecting", () =>
       MainDataCollector.Instance.CollectData(), Cron.Minutely);

    RecurringJob.AddOrUpdate("VideoProcessing", () =>
       MainVideoAnalyzer.Instance.ProcessVideo(), Cron.Daily);

`

And now, I cannot find a way to implement authorization for custom class DashboardAuthorizationFilter.
In fact this is the same issue when we trying to access any API endpoint adress.

I mean that authentication comes from UI/Client projects and when I try to access eg
http://localhost:6030/api/product/GetProducts
then I got 401.

I know that in controllers we can implement:
[AutoInject] private IAuthorizationService authorizationService = default!;
but for custom classes id does not work.

I dont want to report a bug. Cause for sure it not a bug. Can you advice me any solution?

[ysmoradi]

Greetings,
In a nutshell, you have the following issues:
1- You are unable to inject IAuthorizationService in any service other that controllers? right?
2- When you call api/product/GetProducts, you receive 401, right?
3- You don't know the proper way to implement hangfire dashboard authorize filter, right?

[Woselko]

You're right. Thanks for your fast reply.

[ysmoradi]

Good, so please create a new project with latest pre-release using

dotnet new install Bit.Boilerplate::8.10.0-pre-05 && dotnet new bit-bp --name Test --database Sqlite

And push it to temporary github repository as is without any changes, after that modify code by injecting IAuthorizationService the place that is not working, add/configure hangfire and use the following approach to secure its dashboard:

https://docs.hangfire.io/en/latest/configuration/using-dashboard.html
Note that in order to get IAuthorizationService in Dashboard filter, you've to write the followings:

context.GetHttpContext().RequestServices.GetRequiredService<IAuthorizationService>();

Note that I need your changes in separated commit, so I can verify your changes easily.
Let me know when the repo is ready.

[Woselko]

here is a link to repo, and my commit: https://github.com/Woselko/AuthorizationTest/commit/d1fd51148ab818b765b2d3e0f5267ba823a94143#diff-f6b49bac3c053b5feb2daa40cfef725251937d7c170911b454308c2d3dd61af6

So to sum up, while user is logged, user should see hangfire dashboard. Well, for me it is mission impossible. If you could take a look.

Thanks in advance

[ysmoradi]

First of all, you can't register hangfire dashboard wherever you want! I'd recommend you to register it next to the swagger middleware.
Because it has to be after Authentication/Authorization middlewares.

The second issue is how to pass access_token to the dashboard? You can open dashboard using something like this:

http://localhost:5118/hangfire?access_token=....................................

You can build such a url in your web client app and bind it to the src of link, so user can click on it.
You can also store acccess_token in cookie, in order to achieve this, remove if condition from the followings:
https://github.com/Woselko/AuthorizationTest/blob/master/src/Client/Test.Client.Core/Services/AuthenticationManager.cs#L48
https://github.com/Woselko/AuthorizationTest/blob/master/src/Client/Test.Client.Core/Services/AuthenticationManager.cs#L58
https://github.com/Woselko/AuthorizationTest/blob/master/src/Client/Test.Client.Core/Services/AuthenticationManager.cs#L123

In your commit, there's no sample for using IAuthorizationService and there is no controller for Products, so I can't verify http://localhost:6030/api/product/GetProducts either.

Finally, put middlewares in Program.Middlewares.cs and register services in Program.Services.cs instead of changing Program.cs itself.

[Woselko]

@ysmoradi thank you!
removing those if statements is what I was looking for:

this is when Im logged in:

and there is no access token cookie when Im logged out.

What is more I used:
app.MapHangfireDashboardWithAuthorizationPolicy("");

Which means that user need to be logged in only. Without any role, just authenticated.
Thanks!