MVC login and authentication

Dec 6, 2015 at 3:06 PM

I have been trying to implement the login / authentication which VITA provides by using the extended tests however I am having some difficulties.

I have managed to get a new user, login created. I can also login as the new user however I am unsure as to how to verify the user is logged in when I go to another controller.

Do you have an example that I can refer to?
Dec 6, 2015 at 6:41 PM
Sorry, no examples for MVC, only for SPA-like AngularJS based client with Web API based server (bunch of controllers responding with Json). The Web tests project demos this approach. On the server side all you need is add WebCallContextHandler to HTTP handlers stack.
We did use Vita and login module in the MVC app (our previous app at my workplace was classic MVC), it worked well, but it needs some extra code in the app.
Here's an outline. Successful login returns among other things the AuthenticationToken - long cryptic string, it is sessionId. The client should save it and add to any call to server. For SPA/angular app the client-side JS code saves the token in local storage and injects it in every call into Authorization header (standard header reserved for this stuff)
In the MVC app, as it uses traditional Form Submit and HTML-Get operations, you should put it into a cookie. So in your login controller add code returning 'set-cookie' header, this will save cookie in browser cache.
Now, in every call on server side, somewhere early in the call, you should retrieve the cookie from request and attach the sesssion using IUserSessionService.AttachSession call. What you need is OperationContext with proper UserInfo, WebContext and UserSession objects attached - this OperationContext should be used for opening entity sessions.
You can try to use WebCallContextHandler from Vita.Web (the one we use for SPA app); the handler has a setting sessionTokenType, default value is Header - you should set it to WebTokenType.Cookie. I think it should work as is, if not - let me know. The handler saves the WebCallContext under the key 'vita_web_call_context' in request.Properties dictionary. You can retrieve it in MVC controller; OperationContext is in property of webcontext. Retrieve it and use for entity operations. Make sure you add UserSessionModule to your entity app.
Other way to go is to add your own use session handler - retrieve session token, load/attach user session (IUserSessionService.AttachSession), create operation context with User property set to logged in user.
Look at WebCallContextHhandler code for examples - it initially creates WebCallContext with anonymous user, reads auth token and puts it into web call context, then fires WebCallStarting event - UserSessionModule handles it, retrieves session and attaches session object and UserInfo to operation context. Now all context are initialized and the call is passed down to controller - which retrieives web context/ operation context from request properties (see BaseApiController.Init), and uses it for entity operations.
Let me know if you have any problems.
Dec 8, 2015 at 8:38 PM
Would it be possible to send you what I currently have and for you to review it?
Dec 8, 2015 at 8:45 PM
Contact me thru Contact User option - it will send me email, I will reply and you'll get reply from pers email box. Then you'll send me zip
But... does it work? or you have problems?
Dec 9, 2015 at 1:46 PM
I currently have a login form which stores the usersession.token in a cookie. I am able to login successfully and also reattach the usersession using UserSessionService.

Just not sure how to make a controller check if the user is authenticated or not.....
Dec 9, 2015 at 5:22 PM
checking if user is auth or not is easy - once you have OperationContext, it's User property has information (UserName and Kind - Anonymous, Authenticated or System). The operation context should be the one that was used to attach session
I will look at your sources today and let you know
Dec 9, 2015 at 9:43 PM
Just checked the Kind property and it looks like what I currently have works fine. Thanks for pointing me in the right direction.