General Ramblings comments edit

I admit, I have sort of a love-hate relationship with my toddler. I love her so much and she’s so cute and friendly and fun… when she’s in a good mood. When she’s in a bad mood, or doing her “testing boundaries” thing, I want to throttle her.

Where I’m going with that is that I look for things that we can both enjoy together – activities we can sort of “bond” over, where we’re both having a good time. Sometimes this means racing hippity-hop balls around the house, but I can’t really run around for hours (or let her ride my back for hours) like she wants, so finding “quieter” activities is good.

Jenn usually gives Phoe her phone on the way home from day care so Phoe can pick whatever she wants to watch from Netflix. Phoe has now taken to watching Doctor Who of her own volition. She’ll scroll around and look for it.

So the new quiet activity now is watchingDoctor Who together. “Daddy, I watch Doctor with you. We watch Doctor together.” Yes, yes we will.

I’ll get her a cup of juice, get myself a Coke or something, and we’ll sit down and watch an episode. She’ll reach her cup over and go, “Cheers!” and we’ll clink together and drink.

She likes to point out the characters. “That’s the Doctor, Daddy.” Yes, that’s the Doctor. “That’s Martha. She doctor, too.” Yes, Martha’s a doctor, too, but not the same kind of doctor. (We’re heading out of third season into fourth.) “Oh, Daddy, he bad guy. Doctor need stop the bad guy.” The Doctor will get him, honey. You know he will. “Cheers!” *clink*

And when one episode ends: “We watch that again, Daddy!” Good girl. My job here is done.

net, gists, aspnet, csharp comments edit

One of the new ASP.NET MVC 5 features, authentication filters, has dreadfully little documentation. There’s a Visual Studio Magazine article on it, but that basically replicates the AuthorizeAttribute in a different way. It doesn’t really explain much else.

Diving into the source doesn’t tell you too much, either. The context you get in the filter has a little more of an idea about what you should be doing, but… it’s really not enough.

The real magic happens in the ControllerActionInvoker.InvokeAction method. The source shows that the general flow is like this:

  1. MVC action gets selected.
  2. IAuthenticationFilter.OnAuthentication executes.
  3. If there is any result set from OnAuthentication, then IAuthenticationFilter.OnAuthenticationChallenge executes.
  4. IAuthorizationFilter.OnAuthorization executes. (The AuthorizeAttribute.)
  5. If there is any result set from OnAuthorization, then IAuthenticationFilter.OnAuthenticationChallenge executes.
  6. Assuming the user is authenticated/authorized, the controller action executes.
  7. IAuthenticationFilter.OnAuthentication executes.

From the comments in the code, it appears the intent is that you somehow “chain” action results together. I’m not sure what that means, whether there’s a decorator pattern intended or whether the design assumes that authentication challenges would just add specific HTTP headers to the response or what.

However, here’s a simple scenario that I came up with that lets you inject some sort of security challenge into a UI flow using the IAuthenticationFilter.

First, let’s create a custom result type. We’ll use this result as a “flag” in the system to indicate the user needs to be challenged. We’ll derive it from HttpUnauthorizedResult so if, for whatever reason, it “slips through the system,” the user will be denied access.

public class ChallengeResult : HttpUnauthorizedResult
{
  public ChallengeResult(string postAction)
  {
    this.PostAction = postAction;
  }

  public string PostAction { get; private set; }
}

The result stores the location where the user needs to return in order to complete the operation after they’ve been challenged.

Next, let’s create our filter. This filter won’t do anything during the authentication portion of its lifecycle, but it will handle challenges. In this case, it’ll look for our challenge result and take action if the user needs to be challenged.

public class ChallengeFilter : IAuthenticationFilter
{
  public void OnAuthentication(AuthenticationContext filterContext)
  {
    // Do nothing.
  }

  public void OnAuthenticationChallenge(AuthenticationChallengeContext filterContext)
  {
    var result = filterContext.Result as ChallengeResult;
    if (result == null)
    {
      // If it's something other than needing a challenge, move on.
      return;
    }

    // Save the location where the user needs to be returned.
    filterContext.RequestContext.HttpContext.Session["postAction"] = result.PostAction;

    // Send the user to be challenged.
    var helper = new UrlHelper(filterContext.RequestContext);
    var url = helper.Action("Index", "Challenge");
    filterContext.Result = new RedirectResult(url);
  }
}

You’ll notice the filter sends the user to a challenge controller. That’s the controller with the form that requires the user to answer a question or re-enter credentials or whatever. We’ll come back to that in a second. Before we do that, let’s see how we’d consume this filter so we can get challenged.

Here’s what you do in the controller where you need to issue a challenge:

  • Check to see if the user’s authorized. If they are, let the operation proceed.
  • If they’re not…
    • Store any form state you’ll need to complete the operation.
    • Issue the challenge result so the filter can pick it up.

A very, very simple controller might look like this:

public class DoWorkController
{
  public ActionResult Index()
  {
    // Display the view where the user enters
    // data or whatever.
    return View();
  }

  [HttpPost]
  [ActionName("Index")]
  [ValidateAntiForgeryToken]
  public ActionResult IndexNext(Model model)
  {
    // Handle form submission - POST/REDIRECT/GET.
    if (!this.ModelState.IsValid)
    {
      return View(model);
    }

    // Store the data so we can use it in later steps
    // and possibly in the challenge.
    this.Session["data"] = model;
    return this.RedirectToAction("Review");
  }

  public ActionResult Review()
  {
    var model = (Model)this.Session["data"];
    return View(model);
  }

  [HttpPost]
  [ActionName("Review")]
  [ValidateAntiForgeryToken]
  public ActionResult ReviewNext()
  {
    var model = (Model)this.Session["data"];
    var authorized = this.Session["authorized"];

    // Here's where you determine if the user needs to
    // be challenged.
    if (UserNeedsChallenge(model) && authorized == null)
    {
      // On successful challenge, POST back to the Review action.
      return new ChallengeResult(this.Url.Action("Review"));
    }

    // If the user gets here, they're authorized or don't need
    // a challenge. Do the work, clear any authorization status,
    // and issue a confirmation view.
    PerformWork(model);
    this.Session.Remove("authorized");
    return this.RedirectToAction("Confirm");
  }

  public ActionResult Confirm()
  {
    // Display some sort of success message about
    // the operation performed.
    var model = (Model)this.Session["data"];
    return View(model);
  }
}

This is obviously not copy/paste ready for use. There are all sorts of things wrong with that sample, like the fact the session data is never cleared, we don’t have the ability to handle multiple windows running multiple operations at a time, and so on. The idea holds, though – you need to persist the form data somewhere so you can send the user over to be challenged and then resume the operation when you come back. Maybe you can create a service that holds that information in a database; maybe you invent a backing store in session that has a more “keyed” approach so each operation has a unique ID. Whatever it is, the important part is that persistence.

OK, so now we have a custom result, a filter that looks for that result and sends the user to be challenged, and a controller that uses some business logic to determine if the user needs the challenge.

The next piece is the challenge controller. This is the controller that asks the user a question, prompts for credentials, or whatever, and resumes the operation once the user successfully answers.

I won’t put the whole controller in here – that’s up to you. But on successfully answering the question, that’s the tricky bit. If you’re doing things right, you’re not doing anything “important” (deleting records, modifying data) on a GET request, so you will need to issue a POST to the appropriate endpoint. You also have to mark the operation as authorized so the POST to the original controller will skip the challenge.

And don’t forget handling the unauthorized scenario - if the user fails the challenge, you don’t want them to be able to “go back and try again”so you need to clear out all the state related to the operation.

public class ChallengeController : Controller
{
  // Other actions in this controller should take care of
  // running the user through the gamut of questions or
  // challenges. In the end, after the final challenge is
  // verified, you need to resume the transaction.
  [HttpPost]
  [ValidateAntiForgeryToken]
  public ActionResult VerifyAnswer(ChallengeModel challenge)
  {
    if (!this.ModelState.IsValid)
    {
      return this.View(challenge);
    }

    // Remove the POST action. It's make-it-or-break-it time.
    var postAction = this.Session["postAction"].ToString();
    this.Session.Remove("postAction");

    if(!AnswerIsCorrect(challenge.Answer))
    {
      // If the user doesn't make it through all the challenges,
      // clear the data and deny them access.
      this.Session.Remove("authorized");
      this.Session.Remove("data");
      return RedirectToAction("Denied");
    }

    // If they do get the challenge right, authorize the operation
    // and resume where they left off. Send them to a special "success"
    // view with the post action.
    this.Session["authorized"] = true;
    return this.View("Success", postAction);
  }
}

Again, this is not copy/paste ready. It’s just to show you the general premise – if they fail the challenge, you need to remember to clean things up and totally deny access; if they succeed, authorize the challenge and send them on their way.

The final question is in that Success view how to resume the transaction. The easiest way is to issue a very tiny view with a POST action to the original location and auto-submit it via script. That might look something like this:

@model string
@{
  Layout = null;
}
<!DOCTYPE html>
<html><head><title>Successful Authorization</title></head>
<body>
<form method="post" action="@this.Model" id="successform">
@Html.AntiForgeryToken()
<input type="submit" value="Process Transaction" />
</form>
<script>document.getElementById("successform").submit();</script>
</body>
</html>

Nothing too fancy, but works like a charm.

Now when the user succeeds, this form will load up, a POST will be issued back to the original controller doing work, and since the authorization value is set, the user won’t be challenged again – everything will just succeed.

Last thing to do – register that challenge filter in the global filters collection. That way when you issue the challenge result from your controller, the filter will catch it and do the redirect.

public class FilterConfig
{
  public static void RegisterGlobalFilters(GlobalFilterCollection filters)
  {
    filters.Add(new AuthorizeAttribute());
    filters.Add(new HandleErrorAttribute());

    // Add that challenge filter!
    filters.Add(new ChallengeFilter());
  }
}

You’re done! You’re now using the IAuthenticationFilter to issue a challenge to verify a transaction prior to committing it. This is what I see the primary value of the new IAuthenticationFilter as being, though I wish there was a bit more guidance around it.

There’s a huge, huge ton of room for improvement in the stuff I showed you above. Please, please, please do not just copy/paste it into your app and start using it like it’s production-ready. You need to integrate your own business logic for challenging people. You need to make sure people can’t start two different transactions, authorize one, and then complete the other one. You need to protect yourself against all the standard OWASP stuff. What I’ve shown you here is proof-of-concept spike level stuff that probably would have been really difficult to follow if I put in all the bells and whistles. I’ll leave that as an exercise to the reader.

Minor aside: It seems to me that there’s some ambiguity between “authentication” and “authorization” here. The AuthorizeAttribute sort of mixes the two, determining both if the user’s authenticated (they have identified themselves) and, optionally, if the user is in a specific role or has a specific name. The IAuthenticationFilter runs before authorization, which is correct, but with the addition of the ability to challenge built in… it seems that it’s more suited to authorization – I’ve already proved who I am, but I may need to be challenged to elevate my privileges or something, which is an authorization thing.

net comments edit

I just had an interesting unit test failure I haven’t seen before due to DateTime calculation.

The code under test was roughly like this:

public Lifetime GetTokenLifetime(int seconds)
{
  return new Lifetime(DateTime.UtcNow, DateTime.UtcNow.AddSeconds(seconds));
}

The unit test was also pretty straightforward:

[Test]
public GetTokenLifetime_ExpectedLifetime()
{
  var provider = new Provider();
  var lifetime = provider.GetTokenLifetime(120);
  Assert.AreEqual(120, lifetime.Seconds);
}

The test was intermittently failing… and the error pretty much explained why:

Expected: 120
Actual: 120.0000063d

There was just a tiny fraction of a second happening between the first DateTime.UtcNow call and the second DateTime.UtcNow call.

To fix it, I stored the DateTime in a local variable.

public Lifetime GetTokenLifetime(int seconds)
{
  var now = DateTime.UtcNow;
  return new Lifetime(now, now.AddSeconds(seconds));
}

Something to keep in the back of your mind as you’re working with DateTime - or times in general. If you are setting up a date range based on a fixed point, best to store that fixed point somewhere and reuse it.

gaming, xbox comments edit

I haven’t blogged much about games I’m playing recently, so given I’m “between games” at the moment, I figured I’d talk a bit.

Yesterday, after about 172 hours, I finished Skyrim with 1000/1000 achievements. I probably could have finished sooner, but I did spend quite a bit of time building up my various skills and running non-required side missions before getting to the main story. I didn’t get any of the DLC, so the time doesn’t include that.

Back in 2006 I played through Oblivion with a buddy of mine and I don’t remember it being nearly this big. I do remember it being more “grindy” – having to jump a lot to build up stamina, or run everywhere to build up strength. I don’t feel like Skyrim was quite like that, but there was a fair amount of tedium. The alchemy thing – having to make potions – was annoying and tedious. I think there were too many possible combinations of things, too many ingredients. Mining ore to refine into metal ingots that could be fashioned into armor or weapons that you’d then have to improve… yeah, that was pretty tedious, too. But I think the most tedious thing was selling stuff. I had so much stuff to sell and no one had enough money to buy it all. I’d stick it in a chest in my house intending to come back and sell it when I needed money… but I never needed money. I had so much money I couldn’t spend it all. I really wish you could set up sort of a… well, like a consignment deal with the local merchants. Deposit your unwanted stuff in a chest in the shop and over the course of time they’d just take stuff out and put money in.

That’s not to say I didn’t have fun. Skyrim was, for me, incredibly addictive. Just one more mission, just one more quest… and even though a lot of it was sort of the same, I didn’t really get tired of it. If I didn’t have Grand Theft Auto 5 to get to next, I’d go for the DLC on Skyrim.

I played a female orc character, though I spent far too much time getting her to look right considering I play in first person view so I never actually saw her except in a couple of cut scenes after that. I think you had to name your character, too, but they never used her name, or not enough to remember. I think in a couple of ransom notes or something.

What I liked most about Skyrim was how I actually kind of got to know and like (or dislike) some of the NPC characters. Cicero, from the Dark Brotherhood, I hated. I hated him from the first time I met him. He was annoying and whiny. I sold him off to the Blades. The whole battle between the Stormcloaks and the Empire was cool, too – the whole world changes when you decide who to side with and it makes it feel so real and important.

And you could get married in the game, which was neat. I ended up marrying Lydia, my housecarl from Whiterun. It didn’t make sense to me to marry anyone else. She was the first “follower” I got; she was always there and friendly when I went to my house to drop stuff off; and she’s the only real NPC who was totally loyal – she doesn’t stab you in the back or send you on a stupid quest. When I thought about which NPC to marry, it didn’t even occur to me to pick anyone else, like it’d be in-game “cheating” or something. I sort of surprised myself when I felt like that, like it actually mattered somehow, which just speaks to the depth of the game.

Before Skyrim, I ran through Borderlands 2. I got the season pass for that so I’ve run through all the DLC, too, with the exception of this latest “Tiny Tina’s Assault on Dragon Keep.”

I loved the first Borderlands, and this second one didn’t disappoint. Bigger, better, faster, stronger. Great characters, great writing. Some of the Claptrap jokes actually made me laugh out loud and when I think back I still giggle. (“WHY AREN’T YOU LAUGHING? THAT WAS COMING F\^&*ING GOLD!”)

I had intended to play through it co-op with my dad and uncle, but with our various life commitments it was really hard to get together on a consistent basis. In the end, we all ended up playing through on our own, teaming up occasionally for harder battles.

That’s the biggest problem I had with this latest Borderlands. It pretty much assumed you had a group of four people to run through the game with. The harder guys – no way you can beat them on your own. And even some of the DLC was super hard until you really leveled up and were a few levels above the bad guys. I never did kill most of the “Blah the Impossible” or “Blah the Invincible” characters. I got in there with my dad and uncle, we all died enough times that we lost millions, and we still couldn’t kill these guys. I don’t mind a challenge, and I’m a fairly decent player, but it got pretty ridiculous in there. Watching YouTube videos and reading forums for strategy, I wondered where people were getting these full inventories of super-rare weapons, which I have to assume is because they went through the whole rest of the game with the team of people. What about the solo Vault Hunters?

I played through with a couple of different characters, and with one of my characters I played through twice. After all that, plus the DLC, plus the ridiculous challenge in places… it burned me out. I will probably return to it at some point to get through Tiny Tina’s DLC, but it’ll be a bit.

Somewhere in there I played through BioShock Infinite. I liked it, as I liked the rest of the BioShock franchise, but I didn’t feel all blown away by the ending the way many folks did. The game play was fun, the environments very immersive, and I did love the characters. Some of the “jumping onto skyhook lines” stuff got a little frantic. It was a neat idea, but seemed to make it a little more complex than it should have been. I didn’t play through the DLC in that, and I may at some point since they’ll be returning to Rapture, but, again, after GTA5.

personal, blog, gaming comments edit

It’s been a while since I’ve checked in on stuff I do in my off-time, so I figured I’d do a round-up entry to catch up.

Since Phoenix was born it’s been harder to get so-called “free time” to do much. Probably more accurately put: There are a lot of things I like to do, and I have a lot of time to do things if I can involve my toddler, but most of the stuff I want to do isn’t toddler-friendly so I don’t get to do it. I mean, toddlers plus RC helicopters equals disaster.

Jenn’s been helping out a bit trying to get me a bit more time to do stuff on my own. She’ll take Phoe to the zoo or something so I’ll get a chance to pick up some of the activities I used to enjoy but don’t get to as much anymore. What am I up to?

I’m switching up my comic book subscriptions. I’ve had a comic box at Things From Another World for many years and for most of those years I’ve subscribed to the same stuff. I’ve finally started getting caught up on my comic reading (“That 2011 Annual story was great!”) and some of the titles I’ve been subscribing to seem to have jumped the shark, so I’ve been trimming up the list. I’ve canceled Witchblade, The Darkness, and all of my Buffy the Vampire Slayer titles. I’ve been in on those from the beginning, but the stories are feeling played out and stale, and at $3 – $5 a pop, I can find other titles. I’m trying out a couple of new ones like Ten Grand, and I’m keeping Daredevil, Powers, and the myriad Grimm Fairy Tales titles.

I’m getting back into RC helicopters. A few years back I bought the original Blade CX coaxial helicopter from the local hobby shop to start getting into flying. It’s been fun, but I’m not very good at it, and it requires a lot of space with zero wind. Here and there I’ve been upgrading it, adding better blades and so on, but I’ve not really gotten it dialed in. I recently picked up a Blade MSR and a Spektrum DX6i controller and I’m starting to get back into it. The MSR is much smaller so it’s easier to fly indoors, though I still think I need to tweak some of the settings. I’ve also upgraded my Blade CX with a new receiver so I can control both helicopters from the one transmitter. All that, plus I got this monster battery charger so I don’t have the problems getting my batteries properly balanced/charged/stored and I’m good to go.

I’m having fun with frisbee golf. The weather has been really nice this summer so my team at work went to a local course and I played frisbee golf for the first time. I’m not very good, but it’s fun, so I’ve been back a few times since. I picked up a starter kit of discs for myself and one for Jenn. This is something Phoenix can participate in, too – we give her a disc and she throws it all over. (She also runs and fetches your discs after you throw them so you have to watch where they land because they’re not going to stay there long.)

I’m burning hours playing Skyrim. I got Skyrim for Christmas and started playing it a couple months back. That’s a time-sink, right there. It’s kind of relaxing and compelling at the same time. There’s just enough tedium to take my mind off the troubles of the day and enough missions to run that there’s always something to do.

I’m taking online bartending courses. I picked up a membership to Bartending College Online through Groupon a while ago and I’ve had fun watching the videos and learning the various techniques and recipes. I’m not going to quit and go be a bartender, but it’s fun to learn something new that doesn’t have to do with computers.

I haven’t gotten back into electronics with my Snap Circuits yet, but I hope to do that, too. Once it turns to Autumn and the weather goes to crap, frisbee golf will be out and I’ll see about getting into the electronics again. I really enjoy working with them, but about halfway through the exercises that come with the set I realized I don’t have a good grasp of the fundamentals, so I took a pause on it to read a book on the math and basics behind why the components behave the way they do and that’s where I stalled out. It’s not a book you want to read when you’re sleepy, but I think it’s important to understand the basics so I can go beyond what the pre-printed exercises show and maybe make electronic inventions of my own.

I’m trying to migrate my blog to WordPress. Subtext was fun while it lasted, but development on it has pretty much ended and I’d like to be on a supported platform. I honestly thought I’d use my blog as more of a hobby, someplace to try out new code and ideas, but there’s really not any plugin mechanism in Subtext and, while that was the plan, it never came to fruition. Rather than move to another smaller platform and go through the growing pains again (and possible abandonment of the platform) I’m trying to get into WP. That means I have to figure out how to export my content in WP format, though, which isn’t going to be easy.

I’m trying to get my images out of ImageShack. I had a paid account with ImageShack for a year or two to host my images and reduce bandwidth consumption on my hosting provider, but ImageShack randomly deletes or loses images all the time. Like, constantly. Links break, the images disappear… today I found that they’ve “lost” my blog skin images, so my blog doesn’t render right. I’m going to switch to a simpler/lighter-weight skin until I can get that fixed (probably until I move to WordPress – it was time for a change anyway).