empty auth session in mvc

[Pete d'Angelo]

i'm trying to use service stack with an asp.net mvc app, similar to the social bootstrap API. having an issue tho as the session is always empty when i try to access it in a controller. i'm not sure what i'm missing. i'm not using an AppServiceBase so perhaps that's significant? have a question on SO here

http://stackoverflow.com/questions/14835267/servicestack-session-always-null-in-mvc-controller

any help would be much appreciated!

thanks

pete 

[Demis Bellot]

Note: We wont be able to identify or repro the issue with just the details you've pasted in the question.

Have you looked at any of the examples of ServiceStack + MVC with authentication pre-configured? e.g:

  - https://github.com/ServiceStack/SocialBootstrapApi/tree/master/src/SocialBootstrapApi - demo: http://bootstrapapi.apphb.com/

  - https://github.com/ServiceStack/ServiceStack.UseCases/tree/master/CustomAuthenticationMvc

If you have, update your question and paste something we can identify and repro, e.g. all your AppHost configuration that has anything to do with Authentication, Registration, Session, Caching, etc.

It would also help if you can paste the HTTP Request traffic containing the `ss-id` and `ss-pid` cookies that the Auth/Session should have auto set for you.

pete 

--
You received this message because you are subscribed to the Google Groups "ServiceStack .NET Open Source REST Web Services Framework" group.
To unsubscribe from this group and stop receiving emails from it, send an email to servicestack...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
 
 

--
- Demis

http://twitter.com/demisbellot

http://www.servicestack.net/mythz_blog

[Pete d'Angelo]

i've uploaded my code to a github repository @ https://github.com/pjacko/ServiceStackMVC

i have looked at both those projects and am using bits of both in my solution. i have noticed that i can access the session if i use the Cache property of ServiceStackController, but not the UserSession property. possibly has something to do with the SessionAs extension method? going to pull down now and look into

thanks

[paas...@gmail.com]

In your AccountController.Login method you are using var client = new JsonServiceClient(GlobalHelper.GetServiceUrl()); to send your authentication message. 

I believe that the request/response within the JsonServiceClient will have a 'ss-id' and 'ss-pid' cookie set in it. I don't think these cookies 

(within the JsonServiceClient) will be shared with the MVC request/responses (please correct me if I'm wrong). 

Can you try authentication by resolving your AuthenticationService and passing in the the MVC HttpContext (something like below). 

This should share the cookies between MVC and ServiceStack.

var authService = AppHostBase.Resolve<AuthService>();

authService.RequestContext = System.Web.HttpContext.Current.ToRequestContext();

var response = authService.Authenticate(new Auth

{

  UserName = model.UserName,

  Password = model.Password,

  RememberMe = model.RememberMe

});

[Pete d'Angelo]

eureka, that did the trick, thanks! if you want to post this on the SO question i'll give u the accepted answer. otherwise i'll just write a summary there to potentially help others who may have the same issue.

is it considered better practice to to call services in this way as opposed to using the JsonServiceClient? i'm also a little confused as to how to implement "Remember Me" functionality for the user. this works for a single session, but if i restart the app, the user's session will be wiped out. is there a simple way to rehyrdrate the user auth session? or do i need to explicitly manipulate the cookies?

[paas...@gmail.com]

if you want to post this on the SO question i'll give u the accepted answer

I updated the SO post. Feel free to comment/update my response with anything I missed or that would be helpful to others. 

is it considered better practice to to call services in this way as opposed to using the JsonServiceClient?

I'm not really sure what the best practice is. In my current MVC & ServiceStack project I'm using AppHostBase.Resolve to get my 'Services'. Doesn't feel quite right, but I can't explain why. I think the normal ServiceStack use-case is calling the Services/API from a source that doesn't have access to same .dlls (a JavaScript app or an external app). Honestly, my MVC controllers are mainly handing off to ServiceStack to get objects to populate a view...could probably have used a regular .NET Web Application (not MVC) and ServiceStack.Razor and avoided having controllers. I think you can get the JsonServiceClient to work within a controller by doing something like below. YMMV on it...basically trying to inject the MVC cookies into ServiceStack

var sessionKey = SessionFeature.GetSessionKey().Replace("urn:iauthsession:", "");

var client = new JsonServiceClient("http://" + HttpContext.Request.Url.Authority + "/api")

            {

                LocalHttpWebRequestFilter = (request) =>

                {

                    var c = new CookieContainer();

                    c.Add(new Uri("http://" + HttpContext.Request.Url.Authority + "/api"), new Cookie() { Name = "ss-id", Value = sessionKey });

                    request.CookieContainer = c;

                }

            };

but if i restart the app, the user's session will be wiped out.

I believe you are using container.Register<ICacheClient>(new MemoryCacheClient()); in you AppHost.Configure method so restarting the app will lose all the session information. Check here for 'persisted' cache clients https://github.com/ServiceStack/ServiceStack/wiki/Caching. My recommendation would be Redis.  

[Pete d'Angelo]

my controller logic is similar, basically just calling service, mapping DTO to viewmodel and returning strongly typed view. i felt there may be some additional things i want to do in my controllers but could possibly go the ServiceStack.Razor route as well.

i was originally thinking of using cookies to persist auth sessions across reboots, but redis may also be an option. are you running on windows? if so, any issues with redis there? i'm considering azure for hosting, and am on a shoestring budget so initially will have everything running in a single windows VM.

one other thing i'm a little unsure of is OAuth. in the social bootstrap project, it's just calling ~/api/auth/facebook with app ID and redirect url specified in web.config. this works fine if your host and client are in the same project. but i also have a mono for android client. my confusion is once i get a token from facebook, what's the call i make to SS to authenticate? i had another SO question about this:

http://stackoverflow.com/questions/14617450/using-oauth-in-servicestack-client

[paas...@gmail.com]

but redis may also be an option. are you running on windows?

Running Redis on Windows right now only for development. Using Ubuntu Server in production. I'm not sure what the current 'stability' status of Redis is for Windows. Have had no problem with it in development environment. 

but i also have a mono for android client. my confusion is once i get a token from facebook, what's the call i make to SS to authenticate?

Slightly confused by your question and I'm not real familiar with Facebook authentication. Is your Android app try to access your ServiceStack application via FaceBook auth? I don't think your Android app needs to make it's own call to FaceBook. It can just authenticate via your ServiceStack application endpoint/url (you get this endpoint 'for free' by plugging in ServiceStack's FaceBookAuthProvider). I think this would store/return the proper tokens to allow your Android client access to your ServiceStack application. Not positive though and have no way to test. 

[Pete d'Angelo]

when you make the call to an oauth provider, you pass it a callback. the callback will include a response token that you supply in subsequent requests. so you may be right that the client can delegate this to service stack. but i'm not sure what that call would look like. also, if this is the way to do it, then how do u get the facebook token back from SS to make a call to do something like make a wall post (which shouldn't have to go through SS) 

i've put some code in my github repo to illustrate where i'm getting stuck. i'm using the facebook javascript sdk here:

https://github.com/pjacko/ServiceStackMVC/blob/master/ServiceStackMVC/Views/Common/Header.cshtml

and my callback is the login action method here:

https://github.com/pjacko/ServiceStackMVC/blob/master/ServiceStackMVC/Controllers/FacebookController.cs

at this point i've got an auth token from facebook, validated that this is a known user, and now need to login with service stack.

[paas...@gmail.com]

I'm probably not the best Facebook authentication/api resource, but here is what it looks like to me...

Looking at https://github.com/ServiceStack/ServiceStack/blob/master/src/ServiceStack.ServiceInterface/Auth/FacebookAuthProvider.cs it looks like when you authenticate against ServiceStack (/api/auth/facebook) that it is handling Facebook's response similar to how you are handling it within your JavaScript callback. In ServiceStack it appears to be storing the Facebook tokens within the user Session. 

As far as your 'callback is the login action', aren't you already authenticated within ServiceStack at this point? Lines 29-41 appear to be making another authentication request to ServiceStack. Your initial call to (api/auth/Facebook) should handle all necessary ServiceStack (and Facebook) authentication. Can you place a breakpoint somewhere in this code and inspect your ServiceStack Session (base.UserSession) and see what it all contains? Your controller will need to inherit from ServiceStackController in order to inspect the Sessiion.

In order to do a make a wall post I think you would still use the JavaScript api, but you could get the Facebook token from the ServiceStack Session.

[Pete d'Angelo]

in my callback to '/Facebook/Login', i am authenticated with facebook but have not yet authenticated with service stack. so i need to do that but getting confused how. i don't want to provide a callback url (for example my client is an android app). i see in social bootstrap api this line to inject an auth header:

webReq.Headers[HttpRequestHeader.Authorization] = OAuthAuthorizer.AuthorizeRequest(

                        twitterAuth.OAuthProvider, twitterAuth.AccessToken, twitterAuth.AccessTokenSecret, HttpMethods.Get, uri, null);

so maybe that's what i need to do to authenticate once i have an access token?