ASP.NET MVC RavenDB Save User - asp.net-mvc

I know how to save documents to the RavenDB but i'm trying to look in to how I can save a User object:
public class User
{
public string Username {get;set;}
public string Password {get;set;}
public string Email {get;set;}
}
Sure, I can save an object of User but, what about Password encryption? And is there a "proper" or a different way of saving a User object? Saving and Retrieving a User object is my whole goal.
Any help is highly appreciated.

Password encryption you'd have to implement yourself. See an example here:
https://github.com/synhershko/NSemble/blob/master/NSemble.Web/Modules/Welcome/WelcomeModule.cs
https://github.com/synhershko/NSemble/blob/master/NSemble.Core/Nancy/NSembleUserAuthentication.cs
The User object is not different than any other object in your system.

Related

Secure read only and disabled HTML helpers

I have to secure my HTML helpers like textboxfor in MVC in a way if user inspects or f12 and change the value I should take the original value or prompt with an error. Is there any way to achieve it except disabling f12 or inspect option through some jquery and keep my value in some storage in the controller level and get again after posting.
I understand these ways around but I want to secure Html Helpers at the Razor level maybe through some custom HTML helper? please suggest .
example:
<div class="form-group">
#Html.TextBoxFor(x => x.PersonNameAr, new { #class = "form-control", #readyonly="readyonly"}) OR
#Html.TextBoxFor(x => x.PersonNameAr, new { #class = "form-control", #disabled="disabled"})
As a developer who wants to make a secure website, you have to pay attention to some details:
If there is something that user is not eligible to see, even if it's in cookie, session, or hidden input, so don't leak it to them.
You can't prevent user to access it's own computer abilities. Google chrome or any other softwares that installed in user's computer is not what you should be able to access it and change it's properties without official permission from user, if you do it, you've hacked users software.
If there is some data that is important to you, and you have to access it from your front-end, and user is not eligible to access it, you have to save it somewhere that user does not have access to it; somewhere like your database table. But HTML tags, cookies, sessionStorage, localStorage,... . These are not good places to save important data, these are the best place to save weak data that not affect your site's functionality.
there is a endless list of attentions to say, but for now that's enough.
If you want to prevent user from overposting data there are multiple ways to do so:
Bind Attribute. You can use Bind attribute in your controller's action to include or exclude some kind of data that user can't pass to your action as model properties.
imagine you have User model as below:
public class User
{
public int UserId { get; set; }
public string UserName { get; set; }
public string FirstName { get; set; }
public string LastName { get; set; }
public bool IsActive { get; set; }
}
and this is your Edit action:
[HttpPost]
[ValidateAntiForgeryToken]
public ActionResult Edit(User user)
{
//save expense to database
}
And you don't want user to be able to change IsActive property.
if you leave your action like above, any clever user can add extra property to the form and post it to action. But using Bind method like below you can prevent this kind of attack:
public ActionResult Edit([Bind(Include = "UserName", Exclude = "IsActive")]User user)
{
}
You can use ViewModel. Using ViewModel for each view helps you keep things simple and don't loose a point even if you accidentally forgot to use Bind attribute. In this case you can request or retrieve specific properties, and not even prevent attacks, but saving some memory.
Server side checking. In the post methods you can check your input explicitly to make sure user input does not damage your program.

Extend ASP .NET Identity with custom List<property> and access it in the View

I am using ASP NET Identity 2.0. I need to extend the identity model with an ApplicationOrganization class (many-to-many with ApplicationUser).
So I created new class, ApplicationOrganization with;
public virtual ICollection<ApplicationUser> Users { get; set; }
public virtual ICollection<ApplicationOrganization> Organizations { get; set;}
to ApplicationUser class to create a many-to-many relationship.
I would like to add some combo (html select tag) with available organizations into _Layout.cshtml View. That's a problem for me. In the View I can accces current UserName, UserId or any other string property using Claims. But I don't know how to acces List of ApplicationOrganization connected to User in the View. I would like to avoid creating some new login Session. And I don't want to hit database in every view call.
No answer. Ok, one way I know now is I can serialize list as a string (xml, json or whatever) and store it as Identity claim. When I need it I can parse it back.

User profile image asp.net mvc identity

I'm creating a web application using MVC 5 and Identity. I have so far created a registration system, but I would like to allow users to upload a profile when they register.
I was wondering if it is possible to implement profile pictures with asp.net identity?
Yes. Assuming you're using the default Entity Framework implementation, you can extend the ApplicationUser in a file called Models/IdentityModels.cs.
You can store the image in the database or elsewhere on the file system.
One way to store it in the database is using a byte array in the model (which I believe maps to varbinary(max))...
public class ApplicationUser : IdentityUser
{
public byte[] Image { get; set; }
}
Details on how to save upload an image and save in the database via EF can be found here...
Entity Framework 5 Code first adding an image
Or you can simply save the uploaded file to the file system or to blob storage, then store the path or URL to the image...
public class ApplicationUser : IdentityUser
{
public string ImagePath { get; set; }
}
Best thing todo is to create a second table (or add a column to the current table), add a file upload feature to the registration form. When registration is successful add the picture to the db with EntityFramework. Create a page to return the picture by the userid so you can include it in a page somewhere.
Something like this http://blogs.msdn.com/b/webdev/archive/2013/10/16/customizing-profile-information-in-asp-net-identity-in-vs-2013-templates.aspx but with a profile picture

How to save claims used in a MVC site using Thinktecture IdentityModel

I am working on a MVC web site with Claims Authentication and also using Thinktecture IdentityModel.
Each user has a set of CLAIMS: City, Username, Email, Roles, Birthdate.
I have 3 tables in the database: USERS, USERS_PROFILES and USERS_CLAIMS.
USERS contains the columns Username and Email;
USERS_PROFILES contains the columns City and Birthdate.
I am saving these values in these tables ... And I save the Roles in the USERS_CLAIMS table.
When I load a user I fill the ClaimsIdentity with the data from these tables.
THE QUESTION IS:
When I create a user should I, for example, save the email both in USERS table and in USERS_CLAIMS table?
It seems data replication but I am not sure ... Or should I save in only one of them?
What is your approach to this? And what kind of claims, beside roles, do you have that don't fit in a USERS or USERS_PROFILE table?
Thank You,
Miguel
As you're using MVC (Model View Controller), why don't you use Models ?
Your ClaimsIdentity is a model, just create a ClaimsIdentityModel.cs in your Model folder, and use it like this :
public class ClaimsIdentityModel
{
public string Username { get; set; }
public string Email { get; set; }
public string City { get; set; }
public Datetime Birthdate{ get; set; }
}
Then, when you load your user, just fill a ClaimsIdentityModel. And you're done.
As name of each table suggest, the values shall represent those only.
Users are identified as by usernames. Email is one of the claim done by the User.
Roles are also claims, so as City.
If you are creating profile table and adding city in profile, it shall be avoided to add it in Claims table. But you need to handle requirement of City as claim by queries Profile table and providing value as claim as needed.
ClaimsIdentity is System.Security.Principal.GenericIdentity type that is used to identify the user in claim based approach.
(Making Model will be helpful in the View)

Remote attribute in asp.net mvc – in some situations restricts our model

I’ve got an unexpected situation when using Remote Attribute in ASP.NET MVC3.
The model type I used:
using System;
using System.Web.Mvc;
using System.ComponentModel.DataAnnotations;
namespace dTweets.Models
{
// at first time, user should create his account with unique username
// as in twitter.com, user do
public class UserMetadata
{
[HiddenInput]
internal int Identity { get; set; }
[Remote("IsUserExist", "Account")] // at any HttpPost, username should
// be unique – not appropriate if
// updating/editing this model later
[Required(ErrorMessage = "username should be unique")]
public string UserName { get; set; } // user cannot change it, later
[DataType(DataType.Password)]
public string Password { get; set; } // user can also change password, later
[DataType(DataType.MultilineText)]
public string About { get; set; } // Optional field – user can edit it later
}
[MetadataType(typeof(UserMetadata))]
[Bind(Include="UserName, Password, About")]
public partial class User
{
}
}
Remote attribute validates user unique name at account creation time. But when later user wants to update/change his account, Remote attribute did not allow to update model if keeping user unique name the same one.
This is not appropriate result because rarely user changes their unique user name. They just change other fields like About field or password etc.
[Note: at account creation time, I want to check user unique name so I used Remote attribute here, but at later time when updating user account I no longer need Remote attribute]
I must remove Remote attribute for updating this model later.
I want to update/change this model without changing user unique name (remote attribute is applied to this unique name).
one way to do this is to send ID value of this record in AdditionalFields named parameter like
[Remote("IsUserExist", "Account",AdditionalFields = "Identity")]
and then you can check for uniqueness across all rows except the ones that belong to current user. and don't forget to change signature of IsUserEsists action result to receive Identity like
public ActionResutl IsUserExists(string UserName, int Identity)
{
}
Can't you just change server side validation method to something like:
public ActionResult IsUserExists(string userName)
{
if (!UserService.UserNameExists(userName) || (CurrentUser.UserName == userName))
{
return "Yeah. Is it valid.";
}
}
You have current user, because he is logged in. As long as user can only edit his data, this will work.
This is one place where buddy metadata falls short.
Edit/Add scenarios require their own view models. One size fits all scenario validation attributes only work in very trivial business CRUD apps. Add and Edit actions happen in totally different contexts and are only transiently related. This concept is very similar to the DDD bounded context idea.

Resources