DataPortal Security

[MarkOverstreet]

We are about to embark on a new blazor wasm project and the topic of security came up. Before choosing CSLA for this project, our team needed more information about locking down the DataPortal. I found this article https://blog.dotnotstandard.com/blog/csla-data-portal-security but it does not include any insight on using best practices like session management, refresh tokens, and such as when doing WebAPI development. So, the question is how do others handle DataPortal security and are there any code examples anywhere?

Thanks

[rockfordlhotka]

If you are using the HttpProxy the server is a standard ASP.NET Core service endpoint, and so you should be able to use any techniques you'd normally use to secure an ASP.NET Core service endpoint.

That might require subclassing the default HttpProxy class to provide any headers, tokens, or other things required for HttpClient - but again, the underlying technology is just a normal/standard HttpClient instance, and so you will secure it like any normal code that's using HttpClient to invoke a service endpoint.

The only "difference" is that you'll do this security code in an HttpProxy subclass (or when configuring the HttpClient in Program.cs), so it is all handled in one place in the entire client app.

[rockfordlhotka]

The same is true for GrpcProxy - the underlying "plumbing" is just standard gRPC client and server elements from ASP.NET Core.

[MarkOverstreet]

Thanks for the info, sounds like we should be able to do the normal recommended approach similar to webapi. Do you, by chance, have any example code that demonstrates overriding HttpProxy?