阻止用户并手动使访问令牌过期后结束会话
[英]End Session after Blocking user and manually expire access token
问题描述
I'm running an ASP web API application with Angular 5 front end application, I'm using ASP Identity for Authentication. 
我正在使用Angular 5前端应用程序运行ASP web API应用程序,正在使用ASP Identity进行身份验证。
Now my app has a feature of blocking users , but as I'm using access tokens, I can't find a way to log users out as soon as they are blocked unless I use a bad practice (mentioned in the last lines of the question). 现在,我的应用程序具有阻止用户的功能,但是由于我正在使用访问令牌,因此除非找到错误的做法,否则我无法找到一种方法在注销用户后立即注销用户(请参见题)。
There is a Verify method in the back end API application, it checks the access token if it is valid on each service call from the Angular app , of course this access token is not changed when the user is blocked, so the user keeps accessing until his access token expires. 后端API应用程序中有一个Verify方法,它会检查访问令牌是否对从Angular应用程序进行的每个服务调用均有效,当然,当用户被阻止时,此访问令牌不会更改,因此用户会一直访问直到他的访问令牌已过期。
what is the best practice to overcome this? 克服此问题的最佳实践是什么?
the bad practice I'm using: 我正在使用的不良做法:
Verify() {
var db = new ApplicationDbContext();
var user = db.users.Where(a => a.UserName == User.Identity.Name).FirstOrDefault();
if(!user.isActive) { return Ok("Blocked")}
else {
if (User.Identity.IsAuthenticated) { return Ok("Authorized"); }
else return Ok("Not Authorized");
}
}
but the function Verify is called many times, so searching the database each time is not a good solution. 但是该函数Verify多次调用,因此每次搜索数据库都不是一个好的解决方案。
--> To clarify the signing out in the Angular app, it first clears the access token from local storage, then redirects to sign in page, so it has nothing to do with the Web Api ->为了澄清在Angular应用中的注销,它首先从本地存储中清除访问令牌,然后重定向到登录页面,因此与Web Api无关
--> Please tell me if any point needs to be clarified in my question ->请告诉我我的问题是否需要澄清
1 个解决方案
解决方案1
0 已采纳 2018-10-02 10:57:35
If avoiding db calls is absolutely necessary I would push the responsibility of booting the user from the application to the Angular side. 如果绝对有必要避免数据库调用,那么我将把引导用户从应用程序引导到Angular的责任。 Please see my proposed flow using web sockets below. 请在下面查看我使用网络套接字的建议流程。
- The admin blocks the user , the api gets hit with block instruction for a user. 管理员阻止了用户,而api则被阻止了用户的指令。 The api marks the user as blocked in the database and pushes a message down to the angular application via websockets (I would use signal R for your setup) that contains the userId. api将用户标记为在数据库中被阻止,并通过包含userId的websocket(我将使用信号R进行设置)将消息下推到Angular应用程序。
- The angular application checks if the userId sent from the api is the one that belongs to the current users session (session storage perhaps). 角度应用程序检查从api发送的userId是否属于当前用户会话(可能是会话存储)的用户。 If that is the case boot the user out by clearing hes token and signing him out. 如果是这种情况,请通过清除用户令牌并将其注销来引导用户退出。
- If the user tries to log in again simply move the check to see if a user is blocked to your login method and he/she will no longer be able to log in again. 如果用户尝试再次登录,则只需移动检查以查看用户是否被阻止使用您的登录方法,并且他/她将不再能够再次登录。
This is putting all your eggs in one basket by relying on your socket connection to boot users but it cancels out having the responsibility on the api to check on every call and will reduce the chatter to your db. 通过依靠套接字连接来引导用户,您可以将所有鸡蛋都放在一个篮子里,但是它取消了API负责检查每个调用的责任,这将减少数据库的震颤。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.