Request Metrics won’t be very successful if users can’t sign up! We recently completed cookie based user authentication and distributed session using Redis but neglected initial sign up. Now we finally go back and do some boring forms and CRUD work.
A rich set of internal admin tools helps with customer support, system monitoring and visibility. We’ll start our suite of tools with a user admin page to list all users in the system. This page is access controlled using a simple filter attribute. While we’re here, we might as well let users sign out too.
The actual sign up logic is just a boring form submit and user data written to Redis. Because user CRUD was covered previously, we’ll skip it and jump to other interesting bits we ran into.
Simple Access Control with ActionFilterAttributes
Our new admin page should only be accessed by internal users. We could use the claims-based authorization built into ASP.NET Core for this, but it is a bit heavy for our taste. Instead, we use a simple ActionFilterAttribute attached to any controller or controller method that is access controlled:
The custom attribute just concerns itself with determining whether the currently authenticated user is an administrator:
Sign Out a User and Clear Session
We have forgotten about sign out in the midst of all this signing in and signing up. A user should be de-authorized and their session cleared when they sign out. We settle for clearing all data contained within the user’s session because ASP.NET Core no longer has a way to abandon or destroy a session: