[英]End Session after Blocking user and manually expire access token
I'm running an ASP web API
application with Angular 5
front end application, I'm using ASP Identity
for Authentication. 我正在使用Angular 5
前端应用程序运行ASP web API
应用程序,正在使用ASP Identity
进行身份验证。
Now my app has a feature of blocking users , but as I'm using access tokens, I can't find a way to log users out as soon as they are blocked unless I use a bad practice (mentioned in the last lines of the question). 现在,我的应用程序具有阻止用户的功能,但是由于我正在使用访问令牌,因此除非找到错误的做法,否则我无法找到一种方法在注销用户后立即注销用户(请参见题)。
There is a Verify method in the back end API application, it checks the access token if it is valid on each service call from the Angular app , of course this access token is not changed when the user is blocked, so the user keeps accessing until his access token expires. 后端API应用程序中有一个Verify方法,它会检查访问令牌是否对从Angular应用程序进行的每个服务调用均有效,当然,当用户被阻止时,此访问令牌不会更改,因此用户会一直访问直到他的访问令牌已过期。
what is the best practice to overcome this? 克服此问题的最佳实践是什么?
the bad practice I'm using: 我正在使用的不良做法:
Verify() {
var db = new ApplicationDbContext();
var user = db.users.Where(a => a.UserName == User.Identity.Name).FirstOrDefault();
if(!user.isActive) { return Ok("Blocked")}
else {
if (User.Identity.IsAuthenticated) { return Ok("Authorized"); }
else return Ok("Not Authorized");
}
}
but the function Verify is called many times, so searching the database each time is not a good solution. 但是该函数Verify多次调用,因此每次搜索数据库都不是一个好的解决方案。
--> To clarify the signing out in the Angular app, it first clears the access token from local storage, then redirects to sign in page, so it has nothing to do with the Web Api ->为了澄清在Angular应用中的注销,它首先从本地存储中清除访问令牌,然后重定向到登录页面,因此与Web Api无关
--> Please tell me if any point needs to be clarified in my question ->请告诉我我的问题是否需要澄清
If avoiding db calls is absolutely necessary I would push the responsibility of booting the user from the application to the Angular side. 如果绝对有必要避免数据库调用,那么我将把引导用户从应用程序引导到Angular的责任。 Please see my proposed flow using web sockets below. 请在下面查看我使用网络套接字的建议流程。
This is putting all your eggs in one basket by relying on your socket connection to boot users but it cancels out having the responsibility on the api to check on every call and will reduce the chatter to your db. 通过依靠套接字连接来引导用户,您可以将所有鸡蛋都放在一个篮子里,但是它取消了API负责检查每个调用的责任,这将减少数据库的震颤。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.