ASP.Net Core: 04 - User Login Create Manage ASP.Net Core

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] so in this video we're gonna start the actual force at their words server application and so the actual website they'll you know handle everything for our main programs so in the last video we did the I just jumped to it the entity framework basics so we're pretty much gonna clone this repository rename it and then use that as our base so I literally copy this from the YouTube repository chop into the FATA word we've got the source now got for Seto word set a word call so we can chuck it in here this will be pasetta upwards server or hindu processor we got web doc server and then in there we copy that name can delete all the template vials and we'll just literally open these first to make sure there's nothing residual in there that we want to change the entity framework will changes to the Seto Dutch word will log them for now it's just ourselves I can change in the future all right because the windows account pretty sure that's fine as is yep I'll rename the project to the same thing the solution will move up to top level rename this to that will edit the solution way of British video code and then it will be in this folder and that project name then there's the default name space I believe it picks up from so that should be all we need for the cloning of this I leave everything else we can do once we open the project so let's just open this solution now and it should close that one down it should open visual studio and we have basically the place we left off after the last video but with facetted web server as the namespace and project name ready to start padding out this application so I'll just right-click and go properties here see the default namespace was picked up by that change without dotnet 2.0 which is what we want the build has all standard that's fine all that's okay profile test it's just the name of the profile we gave it in the low end settings so we could call this Castro I just like to be explicit on what it does then we'll go port 5,000 that's fine that's all the settings okay the routes got nothing in the controller there's a base home control or quickly change the one that bit was wrong there will change anywhere we find that with the new namespace seto word web server a blue cross and just replace all the namespaces and then we could do a quick search for entity film basics to see if there's any robots still in there now so that should be all the namespaces updated we have the contacts the constructor the sample bit here which we can leave in for the moment till we get a feat grounded with entity framework controller G to remove any unused namespaces keep things clean I can stay there IOC container it's fine and the yes you can tell you it on the service provider that's a home page is fine up settings we've looked at that's fine for now programs done and start up so we've got a clean application let's now just make sure this runs first it should also create a database so we open SQL management studio and we'll connect to this machine when this spins up and we hit the home page we should see yeah get rid of test that was yeah that shouldn't be the name of a database thing that was the old ones entity framework would have been the old one so now it's spun up it should be created in the database so when we finished press f5 on there and you can see now we are facetted upwards so we know we've got that database and we've got the settings so that's good for now we've got that towards we've really done there is cloned to the last project but we've cleaned it all up and named it what we want now before I forget again let me just turn the present on to make this font bigger for you guys there we go so the first step to using basically getting users added to this website so that you can sign up if you will create users manage users luckily this is something where we can use the built-in asp.net call services if you will so they handle all of the HTTP context their cookies in the web browser they give you the ability to hash passwords verify them lock accounts two-factor authentication it's all done but it's all open source so you can see also recommend when we're doing something like this and making use of an existing thing even when he tests dotnet core itself so spend on my Mac soft and that code is one of the cleanest of any people to still understand at least what you're doing so don't just go and dump commands and not understand because it does quite a bit and there's a lot of code that we don't need to do because they have done it you know god while and it's maintained and open-source so any issues get found but will as we step through this will I'll basically break you down and show you the source code of of what's happening so we understand what the DP context does now that it's basically like a database and then each of these DB sets is like a table and then the models inside the sets are like there the columns are the end of the information about the tables the rows and the types and things so in order to add and typically it also try and keep one one database contacts for your application because that's like the database so you don't want two databases for most applications so the first step to start including the and that was called identity which is the thing that handles users is to tweak this DB contact so from a standard dbcontext into an identity DB context and I have to stop the web server to be able to type that so it's an identity DB contacts controlled off to bring up the intellisense and include the namespace and then it needs to know the tag you see of user obviously the user is a row in the database and it needs to know information because everybody's applications different users might have emails and locations or specific things to your application for now we have just our our basic user so again we'll split this up as it grows into correct projects and things for now I'll just chop this in the data and then we'll ITIL organize this project as it grows so in here we'll just do a class I'll just call this application user and get rid of the extra namespace get rid of all that and then this will be ill inherits an identity user control dot and include the namespace the user profile for our application the use of data yes and profile so also doing is literally making an instance of you will you know inheriting from identity user we're doing nothing special right now we could do by simply adding information in here but this just gives us the ability of you to actually expand upon identity user this is our custom class and that is the type of user in this identities and that's the identity of this context now so now this identity contacts will give the ability to add asp.net rolls users all information about that that needs to manage sign-in data two-factor authentication it's all baked into this now by doing this and tell me this is a type of user it will create a bunch of DB sets for us which I don't really can just see by f12 in in identity DB context because I even further in and then you can see here now it will create these because the DB sets you'll now have a database table with the user roles roles roles claims and they've got some attributes here that configure these with a specific table name so they won't come out exactly as that name look them up some like asp net user roles but here you can see the basically adding database tables for that and then the rest of all this gobiins and the dbcontext adds the ability to manage that and do that and again it's something we don't have to actually make so by didn't ENT TB context we're at in those database tables so we do that step in theory if we build this delete this database and presuming this build successfully which i'm pretty sure it should already has maybe I'll just run the application and then when there spins up they sure create the date while it will create the database still and should see those new rows even though there's nothing in the database will have to be initialized with those I'll probably turn this on to that so it's not harsh on the eyes right so that's now created have we refresh the databases and we go in this time you can see here all the roles I was mentioning all the database tables you can go ahead and inspect them this is now what the identity has created for us so this is like the users as the part of our application usually made and these are all the defaults normalized emails usernames the email and username itself confirmation two-factor authentication phone um these are all baked in as mechanic defaults rolls are when you start giving users specific permissions or like grouping them some people might be admins or those might be developers the roles is good for that these are all the logins so they kept in the database based on you know where they're coming from which login provider so our own application or two-factor authentication from Google things like that claims we won't go into right now it's basically similar to roles in terms of you know what you need them for it's all about grouping the users together and then user tokens we have as well so we'll start making use of these but you can see straight away the implication of changing it to identity dbcontext sets up the database with identity set it up with something ready for the built in identity services we're going to be using to make you something needs to be an identity dbcontext to have those correct tables so we've done that a little step so now we want to start configuring and using this so we jump back into our main code here we have the dbcontext already which adds the application dbcontext as a basic you know as a context itself nothing special about that we still leave that in there and it configures as a use SQL so in addition to that part of the identity setup and process as I mentioned as much you're on the website and you log in you need the ability to when you refresh the page not have to log in again so part of what we do or part of what asp.net does for us is handle you know when a user logs it in creating a website cookie and keeping that cookie alive for a set period of time and that will contain a special key that'll appear in the database as a login so if we were to now do services dot add identity and then again it's expecting a type of identity so that identity will be the application user and the ruble we don't have any specific role for mugging intellisense at a minute well I know that's why I show you guys the intellisense let me just try identity role see that I'll stop complaining now so see we get int a license back so similar to that we got someone to the user the user also has four roles that even though we don't have any roles so we could create now a specific roles and then you know implement certain ones but we're using the default identity role because we're not making use of it so we're telling this code to add identity which you'll see what it does in a minute under this application you attack because that's the one we use in here and just the default identity role baked into the framework so we'll make notes of all this so add identity adds cookies as I mentioned or adds cookie based authentication it also draws and I'll I'll give you a link to this so you can see it adds scoped classes for things like user manager which we'll use to create users delete users you know literally manage users for the assignment manager which as you expect to be for signing in for the things like password hashes to generate hashes of passwords to them verify and so on so I'll make that note there about that fact will also then provide a link and we'll go and look at this now in in source code I heard one more notes on this actually is that basically once you sign in as a cookie whenever you refresh a webpage cookies based on that website are always sent with the request by the browser that's just the natural way web sites work if there's a cookie which is just a text file on the the user's machine storing information that the browser can create when you sign in to a site it will create that cookie which is like safe just a text file just got some info in and it just gets as part of it almost like a head or if you will to the web request it comes in as an actual cookie so information can be passed back and forward automatically so that cookie basically gets read by this set up here the ad identity will then automatically weed the cookie from every request when it comes in before it hits our controllers so before you ever get to say this page there's this things that go on before you ever build up to a controller action and one of those from doing this is something that then reads the cookie decrypt it sieves of that key is in the asp net logins list to basically see if we have a valid login already and if it is then it will automatically automatically adds the validated user from a cookie to http contacts for user which we'll access in like a controller here so you could say context user and then identity and then you got access to now you're at least your username from the identity that then you can use the user manager to get information from that so this automatically adds that you know once you've signed in and you come back in your controllers this would always be already prefilled with a pre validated user that does all the work for you so you can relational just check HTTP context start user for that information so we will give a link to that so we go to this first page this is just the source code of asp net identity and then an identity service collection extensions and in here we should see our identity which just calls the inner one and if we keep scrolling down you'll get to like line 59 here well you see this is about effectively here that's what it does so this is the whole thing and if we take a look at what this is actually doing one it's had an authentication because there's multiple ways your website can authenticate and alls it's doing here for us is adding all the default ones if you were say default it's adding cookie authentication a security stamp ballad to which we'll talk about near the end of the video setting up the path to redirect to when people aren't authorized which we can also override and we will do setting the time that the cookie expires so how long the user has to sit on this page without refreshing the page before they get signed out which again we'll play with to show you what's happening and then it adds two-factor authentication scheme for the same the basically sets are ready for two-factor authentication in there we don't make use of just yet but we will that's all just one call of your what entire thing is setting up authentication and authentication to use the built in identity set up which as we mentioned basically uses cookies and a security stamp and then it's ready to use two-factor authentication so all that will be you'll see that as we use it'll make sense then this is just all go pings well I say this just this one here really is just the ability to make use of this interface which is needed inside of the way that this identity works it pulls in the HTTP context from within Arius you wouldn't usually be able to get to it so this lets you do that well not always but let's the inner service the identity service in asp.net core to use it and then it adds all these scoped things that will you'll see and you'll be able to pull in so all these are in the scope of a web request as for every request gets them and you can see you've got user bowel data password validator hash lookup normalizer alright all the you can see the main ones will make use of ron howard like the user major sign and manager roles manager maybe the validator will get will use them all but you'll see really all that call is doing for the bulk of it as this yeah at it an authentication and then the add all these providers to so we can make use of them in our actions nice and easy and they're using again these are baked in pre-existing managers that you can make an ideal actually end up making me own when asp.net one was out because it wasn't quite good enough and that it was a huge amount of work so now these are luckily good enough and stable that we can simply make use of them and then I just return so there's that's it that's all all it does and you can also you'll notice you'll be able to run at us a configure so you configure command or an action if you pass it in and it simply just services.com figure and passes in just the action that you pass into here to get the option so if you wanted to configure them at the same time you can do it in an override so that link will put in the source code there and that gets us to step one and then if we now do we've done the add identity the next step is to do dart for what is the next step add entity framework stores and then you can see it's asking for contacts that was awfully application say obviously it does the me bot application DB context and then this method so close that off there and this one again right so let me think to explain this correctly we will have would use quite some fiancée does recess so adds I believe the user store and role still think of the only two from this context and again we've got the source code open so we can double check this but these two you haven't seen in the last you know you didn't see them here directly but the user store in the role store or again class helper classes they'll wrap the correct database tables so wrap the the users the roles the roles that you know your appellees into a class and then make them accessible for the sign-in manager the user manager the role manager so even these add the user managers here but the user managers are expecting a user store in a role store of where to find those users so this bit adds adds those stores to tell them to come from obviously entity framework so we take a look at that source code we should find that extension method in here so there's the other frameworks tools that we've just done you see again this bubbles down and this looks a bit complicated because this is all kind of generic stuff that just does look messy and confusing but if you simply just scroll and look at this you can kind of gathered that each space is trying to find existing info from it so it's trying to get an identity dbcontext which we are so that'll be given and then everything else not which you won't be to just make generic user stores for us otherwise it will try and get the user store based on the types and bubble down to ultimately simply calling these two functions so you don't need to really understand all of this generic stuff and what's going on because again this is used internally you just simply need to understand at least that the principle of what's happening and you can see that in essence no matter what happens it always boils down to adding a user store in a role store or adding a user store and it's based on the types so because we've passed in the user and role here these are the types that it would be so by calling hard entity framework stores we would then be able to get the services so if we did say in this part you could do IOC dot and do an expose provider yet ioc container dot provider don't get service and then you could do a high user store of application user and get the use of store that way and that should be available you know in the anywhere in the code because it's injected here and then you can do whatever you wanted with that user store so you'll see bar use a store and again we wouldn't do this because this is handled by the the user manager we're just showing your wallet doors and then you've got the action here to create users delete users do all your user functions but you don't end up using the user store directly instead you use the user manager so you do to use a manager of application user and now the user story notes a manager has more functions and it's all built up to handle you know a lot more but that's all that's doing that that identity film which to us is adding the user store and the role store from this context laughs are consumed on I'm too yeah consumed Godspell you shouldn't yes by the user manager and rot manager that's doesn't a simple one and then we'll put this link in so you can see just at least that's that's all it's doing it looks very generic eBook all it does is finds baked in typed like this and if you pass in this and it's an existing one it uses that instead and then passes it ultimately in the constructor of a user store in a role store so we'll pass that in and I think there's one more step that I wish yet default providers over so again another thing that's needed is if at we can pop spaces in this to make the comments look a bit nicer adds a provider generates unique keys and package for things like forgot password link phone number variation codes and so on so again as part of all the future manager and password stuff and and anywhere that you generate like when you forget your password you generate you a unique key that then usually emails you the key click the forgot password link and you can create a new one so this little thing here is responsible for making those unique keys in a way that's believed safe and unpredictable so again it's a simple thing you could just do a new GUI for everything but asp.net core is baked in those providers then get used by you know these user manager and so that should be all we need to do in theory if we would remove the comments both with Dawn as that so we've only done three things we've added run as well let me just stop that without the identity we've added the stores that the identity needs and we've added tokens the identity need so all we've done is added the identity and then added two things that it needs and then we just walk out with comments because obviously comments are good and then you can go back and read and understand exactly what the implications are doing a lot so we've got good enough for there I'll put notes here or to do so I don't forget we'll come back to them change login I'll change cookie timeout so we'll do those two things we'll come back to those two things and then we also mustn't forget in the configure method which is the adjure required services and then the Conservatives needed a point at which the set up once all the services have been added so set up identity and this is just a fuse or user authentication there we go and basically there's only ever one authentication call now no matter what type of authentication you use so this is the one that's adding the authentication and its identity authentication that you only ever have to call this so it would change the way that we identified users you know the sign in the process you still just do the user authentication because they should all implement the same thing that then gets called via this call so that is really for the most part everything we need to do to set up and be betting outer to do what we want with users believe it or not so now we can create users on our website we can authorize them we can reject them we can redirect them we can send passwords as as all sorts we can do and you might know ability of it with it being that simple of in a sense that we've only really made three calls and now we can do that but that's kind of the beauty of using this you know using something that exists but in a way that now we understand enough and you can always dig into it in source code is benefits so I wouldn't just add those three start using it and do it blindly and when we do or create user you can then search github for you know the source code to that however look yourself at what it's doing so you understand that I'd definitely recommend that so we won't delve into that in this video cuz it'll go on too long but I'd certainly look at all the calls that we make from now on going into those and have a look at yourself we'll cover them more in future videos but it's beneficial so I guess the first thing we want to do is create a user so we can see the user being created so again we mentioned in the last video we do constructor injection just naturally pull in a scoped scoped service based on effectively this class when it's in a constructor its scoped into this whenever this is created it's part of that scope that's how the scope works so we want now as we mentioned before a user manager so control dot to get the the pop-up if you will and we have the application application user here and this will be the user manager put it on a new line and also have the which we don't use just yet but we we will sign in manager of application user and that is sign-in manager and then we just do protect deed and we can copy this could have just typed it quicker than copying but never mind and that's we am user manager tected sign-in manager and this is the manager for handling users quite simple manager for handling signing in and out for our users user gasps creation of the variation deletion whilst do we do with the user manager version deletion roles searching okay yeah so there's our protected members that will inject through the services which will automatically get filled here just like the other one dead and then we'll set them up to be the user manager and the sign and manager and then we can just double check that that works so we spun off the application now which you'll find that these get injected and the reason they get injected is because as we saw in the source code the add identity injects a user major so as a spins up the user manager is now the asp net user manager and the silent manager as you'd expect is signing manager so we have them in jackets so now we're ready to do what we want with the users and as I mentioned they have been injected due to the fact that the add identity adds the scope classes as we saw in this link I think I'll close that as well so we have that ready we've injected into there so it's now time to actually do something so let's go here and do a public task of because we'll have to await the creation of user I option results which is any kind of result just call it create user async so just a normal call could we do root so it can be found and we do root create and again we'll move this into a call will add the facetted word core and these routes will be embedded in there so we know where to call them from for now we'll just return contents user was created what I say and we'll have text/html has your time and because it's a task with a minute we'll just do tasks from result and new content okay let's just do we turn content and for now because we're not a weight in fact let's just do a little trick I weight tasks top the lasers oh wait oh yeah they sink I wait task doc delay zero I just do that so we don't have to do anything here so all will do for now is check that this create route is plugged in you can simply type in localhost forward slash create and we hit here and then we should just return text that says the user was created such as making sure our general MBC routine is working so hollow world old slash create you see we hit there we return and it says use was created so we know at least now we're hitting that function so in here let's just create a user and obviously you wouldn't just create a user lap we're gonna do here you'd actually have a sign-up form to your website which we will do but again for now I just want to show it actually doing the work so we'll do successful which is the result and it's awaiting the user manager we have and it couldn't be any simpler really you create a user you're passing the type of user which is our class that we already made and you can do user name or have ours angel six email or have as my email that's all we need then we could say if successful dart succeeded that sort of really is not successful that's result so we got a result from this call if it's exceeded will return the user was created otherwise we'll return that user really fails which you should do everyone at a second time because you should automatically detect that the user wasn't there the one other thing we often need is the pass which you don't cut in into the into this class because you should never have passwords in in-memory objects they should never hit the memory that she'd always be passed through parameters down to the point where they used and then hashed so that's why you see their password passed as a a secondary thing and here was a safe password and then we'll break here and we'll run this and we'll see what happens so that's the normal parts burn off we refresh this create you can see we've run it in this from fast we have a result and you can see all the errors we got three of us one is password good cries non alphanumeric password requires digit password requires uppercase so you might be saying well wherever all these come from how are we getting password validation things going on the answer to that is quite simple in fact we should have run that fully and made sure that that shows password create user tration failed just to you know check that you fail you also works not just that so there you go use equation failed we don't want the same why couldn't care for this demo we'd send the results you could output them I'm not going to so where did that password validation come from well if you noticed here I started mentioning you do all this lock so you open this link that we had open and you search for password validator look what we get we get a default password validator so we were to then search the source code for password validator and you could find you could bubble down to trying to find it in here this might be the right one and you can look at what it does by default so this is the default validates this is the bog standard off-the-shelf password validates that gets added you can see here is where it does the it doesn't have them if night adds the errors so by default we have these options and the options are coming from the manager options so all we need to do is replace the default options with our own so to do that you can do it directly in the identity as we saw in that override we have this options here that we can specify but I like to keep this bit all done in one place so let us change here change password policy and obviously will revoke these in the future ones but we do that you do services dot configure standard configure and we want to do identity options and then we'll be given the options then we can go ahead and change them so make it really weak passwords possible for now and we do options dot password required digits as false options got password darts required length let's say five and by the way never do this in production this is obviously just to show you what's possible we buy a lower case for at least require a lower case for quite some some text at least the quite upper case will remove and finally will remove the requirement for alphanumeric as in something other than a letter and a number so that'll make it stupidly insecure but now if we run this code and run create we should actually be able to create that user so if we refresh this page user was created how good so we didn't break point into that book really the only other option was we were successful it just tells us that anyway so what I should mean now is in our users table right-click and select on one thousand we should actually see that user and we do I don't know there's nothing as it's interesting I also not sure that few seems about weird let's just making you query do it cells select all from SP and that users there we go that was just a way of view I'm not sure why select top 100 shows like it maybe I clicked the wrong thing last time so it works that time so you can see here we have the ID which has been generated by that kokom provider potentially if not then it is simply part of the identity that we always use goods for the IDS we've never failed in access we've got a concurrency stamp which is used by the database of two people or two calls or two threads try to edit the user at the same time before the Edit the use of the public and currency stamp then they do an edit then they try and commit every time I commit happens as concurrent system changes so at the point of commit it's it's a standard database thing you can look up on Google and it's called concurrency you know database concurrency jacking so basically it just simply ensures that this this line of the database can't be edited by two things at once by use of a concurrency stamp so it can figure out you know who was first to try and commit the email is what we were given it's not being confirmed by default lockouts enabled by default so they tried multiple times we can lock the user out and there's all policies there you know failure of login five times lock them out for five minutes that type of behavior that's baked into the asp.net identity that we're using normalized email is simply as it states it takes our email and normalizes it so if we want to do comparisons we want to find the user based on email and we type in con tapped I and you know I miss the upper case lower case dot then trying to do a search for that in an SQL query for this the email wouldn't work so instead of having to cast our code to certain states upper case lower case and hood comparisons for quickness at the time of editing the email it creates a normalized which is just upper cased version of our email so that when we try to find a usable that email we can simply compare it via application we know that we should find it same for the username the password is a hash of the password we entered which wishes password the phone number is indented or confirmed two-factor authentication has enabled the usernames there and then the security stamp so I was going to talk about this at the end but we might as well talk about this a little bit now so the security stamp basically changes every time anything related to the security of this account changes so if your username changes the stamp will change your email changes the sample change the linked two-factor authentication anything that is revolved around a successful login anything that would change the details of a successful login then the security stamp changes now what happens when you you log into the website as you'll see is you then get a cookie which stores a unique ID of your successful login and that cookie will last however long it should last which by default is 30 minutes so every 30 minutes the cookie will disappear and it will naturally be authenticate or even if you are stayed and the security stamp will always be checked for authenticity I'll be tan so every time you get a login it will be checked and again there's a default time out on when the security stamp will be refreshed which we can change and if this changes it will have simply invalidate any logged in user so if we were to say update our email address in our code and we say update email address we should then forcefully tell asp.net to update the security stamp as well but by default little update automatically once every 30 minutes but we want if we were ever want to force that action to instantly refresh sheet we can call update Security stamp so that enables things like say you have multiple app sign in to your application and they get given a unique key that that's why when you log into something on your phone you don't have to keep logging in again it simply knows it's on your phone and that's due to a key but then say you go and edit your username online you want your users to be kicked out from the phones to real authentic 8 to make sure you know it's still valid user so that's what the secured some doors will see that an action I'll pop and do it that in a separate video just so we can you know spend a little bit of time looking at it but that's what the security stunt does and like I say we could mess with that but I think that's enough for now so we're now created the user and it's created the user in the database so now if we were to and we can also look at the error here if we were to then track create the same user again with the same details we should get another error and there you go the duplicate username which is again built into the settings that doesn't allow that for obvious reasons because that is the key so we're not gonna mess with that but you can see that we could easily dump out the error messages to the user and handle them specifically so we know that's now working we have the ability to create a user which you would naturally just link up to your login form or rather your signup form and then you could inspect the result the errors to output specific errors to users but for now we'll do that so we'll just say it's our single user for now so then you might say what's the one how do we sign in and - what's the use of signing in if you can't restrict access in the first place so to make something private as as simple as making a public whatever you want to make you know you just you normal action wherever you're going on your website we'll just call this private and we will return content this is a private area welcome and then presumably well no it definitely they can only ever get to here if they signed in which means we should have access to what we mentioned before or the HTTP context what user so we can then use your identity and name and I'd like to pull out the name let's make that text HTML and then we return that so now to make this whole thing private you can use authorize control dot to include the right tag and now this this private thing here we also do a route so it's easier to access and we just see private this canal will be accessed by authorized personnel by logged in users and specifically by you know the roles if you will so if you override then you can specify you know specific policies and things and there's you'll notice here the specific roles so you can also lock down not only just by simply Authority but specific Authority as well you can do it per option or you could do it on the whole controller so your entire every action inside that control naturally authorized so I just again start without cladding for testing we can access the private page and this'll actually crash with I presume this will crash because identity or user is gonna be null so and that that's perfectly valid to leave like that because they shouldn't be able to access that page without being private so this'll also in fact asthma bother crashing which is interesting I would have thought that would have crushed so what do we get identity user as their identities there and it's something not ok so by default it creates all these things they simply no doubt so that's something to bear in mind as well of you you know you check in that so that will quite happily now proceed and we're not logged in and it's saying welcome nobody effectively so then what happens if we now lock this area out and run so now what should happen is the identity service that we set up in here should figure out that user is not allowed and it should then redirect us to the login page which again if we open this link just to quickly show you that that link comes from here where we do the add cookie for the application schema and the account login is where we expect to go so this login path means when when they are unauthorized where do you send them and it sends them to forward slash account for slash login so we know hit up this private you can then see that's exactly what it's done it's redirected us to account login it's also passed in it a query oil same where they come from and % to F is just ill encoding for forward slash so we effectively come from for it's less private so that's where we should in theory in our action redirect to there so we can then handle that for one I don't like account login so let's just change that here now a little to do so change login oil and to change the logon era again its services but this time you don't do configure by default the other special one specific for configure application cookie so we'll do options again and then here we were options got the login path and again this hard-coded bit here I wouldn't be doing this this would come from a core class so anyway we're doing routes to certain places in the code like this hard coded we won't do that in future this is just for this video nor would we do it here these would all be coming directly from actual boots in a class so that you know our entire application and all of our windows and iPhone and Android apps can all make use of that exact same bunch of expected URLs so for now we'll just change it to redirect to or slash login and if we run that we should get the login page you know we do write in the login so let's also make a login part here so we know now this is a private area that works that now is redirecting so we can't get this area anymore without logging in so now let's do a probably async task action result login and we can also make use of if I remember what it was when we closed it this we turn now so we just pass in string return ill and it shouldn't be case sensitive and that should then be given by effectively the it will automatically be pulled out by NBC from the query string so we should then get this piece of information of where to go to and then now here log in is where you typically present your login page for the user to type the username and password then they click a form to submit that back to the website here's my credentials and then you get to the real call that then does the latter login and redirects so again for now we'll just for simplicity and to show you the actual the code in action when we hit login we're just automatically going to sign the user into a specific account with the right username and password so we will do that with using again the this time the sign-in manager so sounding mind you got sign-in so you could do a sign-in by that but the typical way to do it because after the user would have provided that it would be to you know password signing so then we have the password side and we have an override Walkabout the username angel six will do the password that we know is password persistent means the based on the cookies so once they close the browser out do you want them to be able to you know the cookies to stay created at that point or you want the cookie to be you know removed as soon as they close the web page so typically that banks and things you don't ever want them to be we can just finish your closure site others it would be really annoying if you're browsing say Facebook can you close it and went back on and you instantly have to real aughh in and so it all depends on preference I'm gonna say persistent for now because we'll show you not doing that you can also say lock out fail at counting and lockout on failure as in they won't instantly lock out it will actually indicate the amount of tries before it should lock out so it's a little bit inconsistent with description it's that'll add to the count of how many attempts you can sign in before you lock out which is that database table we saw so it's just lock out walkouts enabled lockout ended in fact no it looks like it's a direct lock out so I thought that handled it baked in with access failed account we could prove that after we can try that in fact we could try that right now as the first attempt let's first fail with the wrong password let's awake that and let's just return content testing just because I really want to see if this is to behavior so I'm explaining it correctly and then obviously the route would be the login so we can either hit login up directly that's gonna complain that we're not called async due to my coding Convention style so if we run this now and we hit the login page it should attempt to login with the wrong password and obviously fail and then let's see what our database has to say about that so we do for a slash login and now we refresh this access failed count one lockout enabled one lockout end so we don't have a lockout which is correct so we hit again and again let's see we have three attempts I just hit this off a dozen times and there you can see finally don't know how many times I probably four or five it's now finally locked us out and now with the lockout ends at 9:53 at 9:35 rather so you can see that's how I thought he acted so that's why that's slightly inconsistent if you are so even though this you saying lockout on failure it simply means that adds to the attempted failed logins and again you can change that value in the time and there the options if you like I believe it's just in the in here and the main application cookies so you got the lock logout path return if not we can find it and again you can just find it fairly easily access denied path the Isis isn't than that one which is easy enough to find we can find in the next video and and show you a change in the amount of successful logins so on here we don't really care or just are false we might now have to tweak the database just so we can actually log back in so update SP users another thing to never do online databases but this is a demo so fine updates users set block out and keep calls nor where well in fact we don't have anything else in the database to update all of them so now we are magically not locked out [Music] so this time we're sounding with the right password and we can get the result so far there's also equals sign use it in with the valid credentials and photo login page for testing oh I just noticed I didn't even do a correct thing there traffic area no picking the owner to return to go successfully logged in that would be the same thing as successful and then we do we would do in fact we did do that in one line return will be direct and we can pass in the oil so what we actually do is if string that is more empty return oil question mark then we'd redirect to option and we do name of the index action or the home we call it the index action in fact you wouldn't definitely do that you because it's not necessarily the name it would be the route itself but again right now we don't have a route so I'll just do that for now and that is it otherwise we'd be direct to the given return ale so what's that complaining about tab conditional agree not because there was no emplacement aversion between a redirect to action so doing two different results okay so just break that out into an if statement string is no empty return redirect to action otherwise we return every direct we hop now return I'll go to home otherwise go to the eternal and then we would never hit here well we wouldn't we failed so at this point it would be failed to login which again we could test so let's test with the invalid password and run this and the result should now be that we fail the login and we just simply say fail of logging and you can inspect the results so we can see this in action so if we do login the result just has failed and it gives us no real reason we simply failed logging and and the reason for that is also for security that simply if you fail to login you shouldn't tell them information like the password is wrong your username was wrong you should literally just say you know you failed for security purposes what you can do though is inspect and check with the sign-in manager or the user manager if the user has locked out too then at least give them that information so they don't keep trying that you know you've got to wait five minutes or something but that's why you get no real info there so we should now see failed to login which we do so we correct that password now two password one or two password and then we try to login now we should see we successfully logged in and we been redirected to hello world so we know we're logged in because we've gone to the home page for one so now if we went to primary three should be able to login well we should automatically be logged in well private area welcome angel SEC so now it knows we're logged in so let's press f12 we're on the storage tab which is cookies and you can see we have here cookies for this web page you have the name of the cookie which is asp net core application application o idents the application you can see we've also got this time of how long this cookie will last which the browser is about responsible for deleting or creating sexy was created just and it expires in two weeks from now so that's the default behavior as 14-day cookie expiration which i think is pretty insane I would not expect somebody to not log into a web site for two weeks and when they come back it's still valid and then this value is the value that will bubble down in the web site to be in the actual information of that user's login so if we now look at the asp.net user's login we're not seeing it that it's a cookie one so it's done based on cookies I would have thought though the simple can't find any access in there now I am surprised because I believe oh no I wrote my own nuts what I'm thinking of when I did authentication in the previous one I actually made a persistent database login so this cookie is handled in memory of this running web site so I believe of we start the website that cookie will get lost because he's in the memory of the actual web server he notes kept in memory to the application so it doesn't bother right you know it's not persistent to a database which will probably do what we'll definitely do later so now I tried to private the should control shift R so this is persisting somewhere it's not actually interesting I'll I'll figure that out unless somebody wants to comment in the comments on that where this where this is then authenticating in you know how this is effectively authenticating what it might be doing as boiling down what we should really do is decrypt this this password this cookie data or just look at the source code of what this cookie data contains and boil it back to where it's authenticating what it might be doing is boiling straight back down to this security stamp and validating that way and it simply matches that security stamp so let's just test that theory let's just mess with it so update SP not users which would make sense because they've changed this since I did it in SP net1 so this is like a fresh project so things have changed but this is a good learning curve from yourself as well and a good proving ground of what's really happening so we'll update security stamp set of school something equals and then we need a new GUI at least just so it looks you know familiar in some way and you shouldn't really directly edit obviously the database like this to see just for me I'm curious to what's happening so that will be without the curly braces let's do that I know it's lowercase book I don't really care here I've only got one user so let's just update tomorrow I'm refresh no we have a new security stamp that doesn't met match and I've hacked it directly so maybe not so let's at least see how we decrypt this cookie okay so I've just done quite a bit digging into the cookie stuff to try and find out where it couldn't like where it's been stored directly and it let me down quite a big rabbit hole so I want to do a video specifically on you know you want to understand where that cookie is stored exactly I basically went through all the source code on github for the cookie management and it boils down to a few major places where the the cookie authentication that's had lead in the start of class inside at the adult an add identity adds a cookie Authenticator that then tries to get what's called the I think it was a data secure data provider and a time data format and those effectively do protect an on protect on the cookie they can be configured to store on the file system but my main curiosity was where it's actually stored right now it definitely isn't stored it well I say it's not in the database I can't seeds in the database I do SQL Server profiler and it doesn't get any hits so I'm pretty sure it's not in the database I also did a file watcher on the C Drive just as a quick interest and there was no activity on the C Drive specific to that either so all have been thought it was handled by memory but then I published and run it in memory and closed and killed a fresh new memory and there definitely is also not handled by memory so I got so far with the the dig in and I think what's happened is it's it's stored in the file system but in a protected area with the file system it's actually calling like a Windows protected storage type thing so we can't access it or see it directly or monitor its activity and that's big deep within the dotnet core source code so I got so far down into it and then thought I've been doing it for probably 40 minutes now and I'm like now we'll do we'll do a separate video on exactly we're not necessarily where the cookie is stored because that's stored in the browser if we just open this and you can see there's no cookie we go to log in then we'll have a cookie so there's no mystery here I found that this is basically handled by a chunking cookie manager or something that basically takes the the claims principle of the user chunks it up so it's nice and small and provides that and then like I said this time date format decrypt that information so there's no mystery as to where this cookie years it's more about I want to know on the server side when we see effectively we refresh that or we go to private where this is is coming from where this where are we here so we're we're authenticating with the cookie authentication Handler and where it's actually in the stored information just curiosity that says we don't need to do it but now I'm really curious because you know I don't have all the answers there so we'll do a cookie authentication video separately to really dig into that for now I just quickly added a a log out to the home control to show you how to sign out so if we change that to say call it log out so it matches this is how you log out just sign out and this will also remove the cookie so that's how it's done but like say I want to dig deeper right into the core of this to find out where we are so probably a good thing to also add to the log in is to first sign out sign out any previous sessions so they go to log in page or sign out any previous so if we were to then spin that up and then you can do your own test maybe somebody knows this answer and they can comment in the video as to primarily like say when once the cookies created on this page so now we're signed in we're on the server side is that you know necessarily being validated against what where's that stored credential if you will like if we want to now clear it instantly and you should be able to back track it through the this call but like I said spend 40 minutes digging into code and got right down to knowing that it's stored in the data like a protected data provider but then I never got I just got bored of digging to be honest with doing such a long video in the first place so that's that's one for another day but again I'd love to see comments I'd expect it to be in the database originally which it wasn't so that's what started there in an old process but now at least if we do say log out you'll see that that will now clear the cookie so we've got those page you so let's just wrap up the few bits left in this video the cookie that you could see was expiring in 14 days by default so let's just finish this last to do here and let's change the cookie timeout so in fact that will be in there alter application cookie in film and you can actually store the keys to the cookie in here is the other thing with data protection provider so we can the bit I'm talking about to dig more into if we'd specified this explicitly and we overrode a data protection provider potential just making you one run pretty sure we're after certain oh that's a static class so you can do it create so we could do they provide up create test and you specify stuff in there I guess Maps my overloads yeah there's plenty available loads of what to do there so we could create like an in-memory one or one that stores keys on the filesystem and that's fine then we could see the keys of the cookies being created and then we'd be able to clear cookies that's what we'll start in the next video but the main thing is we're the default one ends up going is what I'm mainly after and I'm pretty sure simply enough on the file system but just in a location I can't monitor and I've also hunted for so again anyone that knows that let me know or be curious to change the cookie time out simply option stop expires timespan and we'll do x fund off from seconds let's make our cookie expire every 15 seconds of an activity change it to expire in 15 seconds I can even do yeah through 15 seconds so if we spin that up now we will have a cookie that should expire if we don't hit the cookie up within 15 seconds so we have I don't really got one right now by default there's no cookie so we then go into login and we have a cookie now you can see it's expiring in 15 seconds from the created date if we refresh you can see it updates 38 forty-eight so it's every time we refreshing the page it's updating the cookie if we were to now sit and let that go past 48 seconds so if we were to do what does go past 48 which it now has if we were to refresh here now it should have been expired which it yeah so now it's expired basically so now we won't deprive it we should hit other what because we auto-login an effect which should be redirected to login when we hit private now and you can see we're now at the login so if we were then to do private again you see the private page expires and it hits the private page so we're not repented gating so the cookie is persisting you can see there 36 seconds now it's updated to 45 and then if we wait for it to go past the 45 that's how the cookie expires so that's how you naturally get signed out to web sites from inactivity it's this you know the cookie expiring so I think that's covered everything that we were after let's just wait for this to timeout go to 53 and then refresh so now we can just do a refresh and you can see then we hit the login page which we then just Auto log back in so that was the the starters to effectively creating asp.net server application for faceted word and we've got at least the ability to start logging in users creating users and we've done some diving into what's what the only Mike said that the lack of knowledge right now that we will address is purely about this one key point of once the cookies been created in that new piece of informations there how asp.net is authenticating against that like not necessarily how we know that it's it's keeping track of that users logged in and monitoring the you know that the users security token and things haven't changed but it's more about where is it physically stored on this machine that's running the server and we haven't got to the bottom of that yet so that's not super critical because we know the process we know how to sign them out sign them in to more of a curiosity thing so that will do for that video the next one will either carry on with this maybe create some actual HTML UI at least for some some basic sign up so we are actually typing in a username and you can go to register you know create a user and then we might jump back to the Fassett our word application and have it so that we can create it from that application actually call this website push it live to a server and start hitting it up test to register users on register users you know all that kind of good stuff so it should start getting interesting any questions or comments again as usual let me know and I'll get back to you [Music] you

Info

Channel: AngelSix

Views: 53,332

Rating: undefined out of 5

Keywords: entity framework, entity, framework, user, create, login, sign in, manager, core, sql server, sql, transact, ssms, asp.net, c#, mvc, basics, tutorial, server, chat, database, example

Id: WQywatfis6s

Channel Id: undefined

Length: 72min 49sec (4369 seconds)

Published: Thu Jan 18 2018