Securing UseStaticFiles

Published on , by Vincent Jacquet In Code Tags #aspnetcore

I have an aspnetcore web site that only serve static content but I want to restrict access to the HTML pages.

After some digging, and asking ChatGPT, the first proposal was:

app.UseAuthentication();
app.UseAuthorization();

app.UseStaticFiles(new StaticFileOptions
{
    OnPrepareResponse = ctx =>
    {
        var user = ctx.Context.User;
        if (!user.Identity?.IsAuthenticated ?? true)  // Check if user is authenticated
        {
            ctx.Context.Response.StatusCode = StatusCodes.Status403Forbidden;
            ctx.Context.Response.ContentLength = 0;
            ctx.Context.Response.Body = Stream.Null;
        }
    }
});

It only ensures that the user is authenticated and returns a 403 when not. Firstly, it is incorrect as it should return a 401 in this case. Secondly, it would be good to use integrated IAuthorizationService to check for authorization.

Considering I have declared a MyPolicy policy, a better snippet of code would be:

app.UseStaticFiles(new StaticFileOptions
{
    OnPrepareResponseAsync = async ctx =>
    {
        var httpContext = ctx.Context;

        var authorizationService = httpContext.RequestServices.GetRequiredService<IAuthorizationService>();
        var authorizationResult = await authorizationService.AuthorizeAsync(httpContext.User, httpContext, "MyPolicy");

#pragma warning disable CS0642 // Possible mistaken empty statement
        if (authorizationResult.Succeeded)
            ;
        else if (httpContext.User.Identity?.IsAuthenticated ?? false)
            await httpContext.ForbidAsync();
        else
            await httpContext.ChallengeAsync();
#pragma warning restore CS0642 // Possible mistaken empty statement
    }
});

It is better but there is still the issue of caching static files only when they are not restricted.

ChatGPT suggested to implement a controller but I am going to use a minimal API instead

using static Microsoft.AspNetCore.Http.Results;

//...

app.MapGet("/{name}.html", (IWebHostEnvironment env, string name) =>
{
    var file = env.WebRootFileProvider.GetFileInfo($"{name}.html");
    if (!file.Exists)
        return NotFound();

    var length = file.Length;
    var lastModified = Truncate(file.LastModified, TimeSpan.TicksPerSecond);
    var etag = new EntityTagHeaderValue($"\"{Convert.ToString(lastModified.UtcTicks ^ length, 16)}\"");
    return File(file.CreateReadStream(), "text/html", lastModified: lastModified, entityTag: etag, enableRangeProcessing: true);
}).RequireAuthorization("MyPolicy");

// ...

static DateTimeOffset Truncate(DateTimeOffset date, long resolution)
{
    var ticks = date.UtcTicks;
    return new DateTimeOffset(ticks - (ticks % resolution), TimeSpan.Zero);
}

To ensure this code works for any file provider, we do not rely on the physical path and try to use the file results with as many information as we can provide.

References & Useful Links

Leave a comment

Please note that we won't show your email to others, or use it for sending unwanted emails. We will only use it to render your Gravatar image and to validate you as a real person.