简体   繁体   English

直接从 DB vs UserManager 获取 AspNet 用户是不好的做法吗?

[英]Is it bad practice to Fetch AspNet User directly from DB vs UserManager?

  1. What is advantage of using userManager.FindByUsernameAsync() over getting the user directly from DB?与直接从 DB 获取用户相比,使用userManager.FindByUsernameAsync()有什么优势?

  2. Is using UserManager is more secure?使用 UserManager 是否更安全? var user = await UserManager.FindByNameAsync(userName); var user = await UserManager.FindByNameAsync(userName);

The UserManager is a way to abstract the data layer. UserManager是一种抽象数据层的方法。 By setting up Identity at the container level, you allow the UserManager to operate against an IUserStore .通过在容器级别设置 Identity,您允许UserManagerIUserStore进行操作。

For example, you can see that the UserStore eventually performs some additional tasks (like loading claims, logins, and roles).例如,您可以看到UserStore最终执行一些附加任务(如加载声明、登录和角色)。 It also matches on upper (so the normalized name can be used) and with the current culture - details you would want to handle yourself with direct DB lookups.它还匹配上层(因此可以使用规范化名称)和当前文化 - 您希望通过直接数据库查找来处理自己的详细信息。

https://github.com/aspnet/AspNetIdentity/blob/master/src/Microsoft.AspNet.Identity.EntityFramework/UserStore.cs#L400 https://github.com/aspnet/AspNetIdentity/blob/master/src/Microsoft.AspNet.Identity.EntityFramework/UserStore.cs#L400

Additionally, UserManager may be easier for testing, since you don't have to worry about using InMemory for Entity Framework:此外, UserManager可能更易于测试,因为您不必担心将InMemory用于实体框架:

var userManager = new Mock<UserManager<User>>(
    Mock.Of<IUserStore<User>>(),
    Mock.Of<IOptions<IdentityOptions>>(),
    Mock.Of<IPasswordHasher<User>>(),
    new List<IUserValidator<User>>(),
    new List<IPasswordValidator<User>>(),
    Mock.Of<ILookupNormalizer>(),
    new IdentityErrorDescriber(),
    Mock.Of<IServiceProvider>(),
    Mock.Of<ILogger<UserManager<User>>>());

As with any opinionated library, Identity provides UserManager and RoleManager as helpful abstractions of the data access that perform many useful tasks conveniently (avoiding the need to inject the database at all).与任何自以为是的库一样,Identity 提供UserManagerRoleManager作为数据访问的有用抽象,可以方便地执行许多有用的任务(根本不需要注入数据库)。 Additionally, if you find yourself needing to perform some user/role related functionality not provided by these managers, it may be a sign of an anti-pattern.此外,如果您发现自己需要执行这些管理器未提供的某些与用户/角色相关的功能,则可能是反模式的标志。

UPDATE:更新:

Regarding security: UserManager will only be as secure as your database connection set up in the container.关于安全性: UserManager安全性取决于您在容器中设置的数据库连接。 In other words, are you encrypting your connection string?换句话说,您是否正在加密您的连接字符串? Is your communication to the database over a secure connection?您与数据库的通信是否通过安全连接? All the typical database security questions will remain the same whether you abstract your DB connection inside UserManager or inject your DB context directly.无论是在UserManager抽象数据库连接还是直接注入数据库上下文,所有典型的数据库安全问题都将保持不变。 But I think secure database access is another question entirely.但我认为安全数据库访问完全是另一个问题。

There are methods inside UserManager that you would certainly want to use for their security implications - specifically around password creation/management ( CheckPasswordAsync , AddPasswordAsync , etc.). UserManager中有一些方法,您肯定希望使用它们来解决安全问题 - 特别是围绕密码创建/管理( CheckPasswordAsyncAddPasswordAsync等)。 But these ultimately depend on the which implementations of IPasswordHasher and IPasswordValidator are injected into the UserManager .但这些最终取决于IPasswordHasherIPasswordValidator的哪些实现被注入UserManager Your question seems to be related to a simple data lookup, so this is also a separate question.您的问题似乎与简单的数据查找有关,因此这也是一个单独的问题。

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM