SendOneWay - accessing original request session details

georgehemmings · June 30, 2017, 9:20am

I have a CreateDocument service which in some use-cases will be called asynchronously using SendOneWay and a MQ.

When the request comes back in from the MQ I don’t need to re-authorize the request (the MQ is trusted). Also the user may have explicitly signed out before the request gets processed. I do however need information from the original HTTP session, namely the user name and roles (for auditing within the service impl).

I’ve read Authenticated Requests via MQ, but that technique seems to be for authenticating request from the MQ.

I think I could add UserName and Roles to the request DTO and have them set by a filter before the request is published to MQ but I don’t really want the client application to see these fields.Is there a way to hide them from generated DTOs? Or is there a better way to handle this?

I was thinking it would be good - when using the oneway route - if SS added the original session to the Meta of the Message that gets sent to MQ. Though I’m not sure what would happen if the session was logged out.

mqServer.RegisterHandler<CreateDocument>(m => {
    var req = new BasicRequest { Verb = HttpMethods.Post };
    var usersSession = m.Meta[Keywords.Session]
    req.Items[Keywords.Session] = usersSession;
    var response = ExecuteMessage(m, req);
    return response;
});

There’s probably a lot of reasons why this is a bad idea

mythz · June 30, 2017, 11:25am

Note MQ Requests are typically treated as internal requests where they’ll bypass any Request Filters on the Service class or Request DTOs, if you want MQ requests authenticated you’d need to add the [Authenticate] attribute at the action-level as seen in the MQ Auth Service example.

This definitely should not be the default behavior, any authInfo like this should be included explicitly. There isn’t a better solution to hide it, but I don’t think it’s a good strategy to hide information from appearing in Request DTOs, all info you need to process the MQ Request effectively should be explicitly on the Request DTO. So I’d personally be making it an implicit part of the Message which if I needed access to the Users Session I would add it to the DTO by implementing IHasSessionId.

I’m not sure what your motivations are for wanting to hide properties from generated DTOs but I’ve added support to do this using the new [ExcludeMetadata] attribute, e.g:

class CreateDocument : IHasSessionId
{
    //...
    [ExcludeMetadata]
    public string SessionId { get; set; }
}

This change is available from v4.5.13 that’s now available on MyGet.

georgehemmings · June 30, 2017, 11:44am

Thanks @mythz

I’ll need to experiment with this a little more.