Blazor–Using Basic authentication

For an internal application I’m building I needed to use Basic authentication.

Remark: In case you forgot, Basic Authentication transmits credentials like user ID/password as a base64 encoded string in the Authorization header. This is of course not the most secure way as any man-in-the-middle can capture and read this header data.

If you look around on the Internet, a typical example on how to this in .NET looks like this:

We create a HttpClientHandler, set the Credentials and pass it to our HttpClient as a parameter.

Of course it is even better to not create an HttpClient instance yourself but instead use the HttpClientFactory to create a Named or Typed HttpClient.

But if you try to use the code above in a Blazor application, you’ll end up with the following runtime error:

System.PlatformNotSupportedException: Property Credentials is not supported.

As the HttpClient implementation for Blazor stays as close as possible to the fetch api the browser, you’ll need to take a different approach and set the authorization header directly:

.NET 6 - The ArgumentNullException helper class

.NET 6 introduces a new helper class that uses the new [CallerArgumentExpression] attribute and the [DoesNotReturn] attribute; the ArgumentNullException helper class.

This class gives you an easy-to-use helper class that throws an ArgumentNullException for null values.

Thanks to the [CallerArgumentExpression] attribute this helper method gives you better error messages as it can capture the expressions passed to a method.

This is the implementation of this helper class:

Before C# 10, you probably would have used the nameof keyword and implemented this helper class like this:

.NET Conf 2021 - Sessions, slides and demos are online

In case you missed .NET Conf 2021, no worries, all sessions are recorded and available on the .NET YouTube channel or the new Microsoft Docs events hub. With over 80 sessions, you will know what to do during the Christmas Holidays. Slidedecks and demos can be found on the .NET Conf 2021 GitHub page. Have fun!

 

.NET Core–The case of the disappearing authorization header

While building an internal (Blazor) application, I stumbled over some CORS issues. As this was an internal application, I decided to be lazy and just disable CORS on my request:

In the example above I’m using the  SetBrowserRequestMode() to disable the CORS preflight check.

Afther doing that the CORS issue was gone, unfortunately my application still didn’t work because now I got a 401 response back?!

I was quite confident that the provided username/password combination was correct. So what is going on?

I monitored my request using the browser developer tools and I noticed that the authorization header was missing:

What was going on?

The MDN documentation brought me the answer when I had a look at the request mode documentation specifically for ‘no-cors’:

no-cors — Prevents the method from being anything other than HEAD, GET or POST, and the headers from being anything other than simple headers. If any ServiceWorkers intercept these requests, they may not add or override any headers except for those that are simple headers. In addition, JavaScript may not access any properties of the resulting Response. This ensures that ServiceWorkers do not affect the semantics of the Web and prevents security and privacy issues arising from leaking data across domains.

So this explains why the authorization header is removed before sending the request.

Another reason why being lazy as a developer is not always a good idea. So I went back to my application and enabled CORS on the API I was calling…

Keep your project dependencies up to date with dotnet outdated

From the documentation:

When using Visual Studio, it is easy to find out whether newer versions of the NuGet packages used by your project are available, by using the NuGet Package Manager. However, the .NET Core command-line tools do not provide a built-in way for you to report on outdated NuGet packages.

dotnet-outdated is a .NET Core Global tool that allows you to quickly report on any outdated NuGet packages in your .NET Core and .NET Standard projects.

This is a great way to keep your applications up-to-date and can easily be integrated as part of your DevOps processes.

Install dotnet-outdated as a global tool:

dotnet tool install --global dotnet-outdated-tool

Now you can invoke it from your project or solution folder:

dotnet outdated

This is how the output looks like for one of my projects:

The colors make it very clear. Here is the related legend:

You can automatically upgrade packages by passing the ‘-u’ parameter:

dotnet outdated -u

GraphQL HotChocolate 12 - Updated Application Insights monitoring

It seems that with every release of HotChocolate, I can write a follow up post. With the release of HotChocolate 11, I wrote a blog post on how to integrate it with Application Insights.

With the HotChocolate 12, there was again a small update in the available interfaces and API’s.

Let’s check the changes we have to make…

• First of all, our diagnostic class should no longer inherit from DiagnosticEventListener but from ExecutionDiagnosticEventListener.

• The signature of the ExecuteRequest method has changed as well. Instead of returning an IActivityScope it should return an IDisposable:

• This also means that our RequestScope no longer needs to implement the IActivityScope interface but only needs to implement IDisposable:

Here is the full example:

C# 10–Change an existing project to file scoped namespaces

C# 10 introduces file scoped namespaces. This allows you to remove the ‘{}’ when your source file only has one namespace(like most files typically have).

So instead of writing:

you can now write:

To apply this for an existing project written in C# 9 or lower, you can do this in one go.

Therefore set the language version of your project to C# 10:

Now we need to update our .editorconfig file and add the following line:

After doing that Visual Studio will help us out and we can use “Fix all occurences in Solution” to apply it in one go: