I'm trying to build a Blazor application that is hosted on the server and the starting point is inside a razor page. Something like that:
<component type="typeof(Main)" render-mode="ServerPrerendered" param-Data="@simple"/>
My questions are:
What if my razor page does have a custom authentication based on database values inside the OnGetAsync method - do I need to redo some of that stuff inside blazor or does the stateful component only gets rendered when the razor page works ?
What happens if I have an arbitrary if/else block that would have a button call, would that button call be guarded by the state ?
Something along the lines:
@if (HasPermission)
{
   <button type="button" onclick="MutateDatabase">MutateDatabase</button>
}
There is an option available to enable authentication for the Blazor app when you create the application. To enable authentication for Blazor server app, click on “Change” under “Authentication section and select “Individual User Accounts” option and then click on “Ok” button when you create a new Blazor server app.
Razor components can be integrated into Razor Pages and MVC apps in a hosted Blazor WebAssembly solution.
If you were considering a Windows desktop application (built on something like WPF), Blazor is a more future-forward choice. But if you're a business building modern, public web applications, there's very little chance you'll recommend a client start with Blazor today.
To make a Blazor page accessible by all users, use [AllowAnonymous] with @attribute code in the _Imports. razor file in your app. By doing this users can access the secured page (here we secured the fetch data) without a login.
I assume you run Blazor Server (At the time of writing WASM is still in preview and will be quite different security-wise).
The documentataion states that Blazor does indeed integrate with ASP.NET Core identity:
Blazor Server apps include a built-in
AuthenticationStateProviderservice that obtains authentication state data from ASP.NET Core's HttpContext.User. This is how authentication state integrates with existing ASP.NET Core server-side authentication mechanisms.
Now, to your questions:
Given your rendering mode, for Blazor to kick in, the Razor page has to render an initial state and mark the element where Blazor is to manage the view later on. The way AuthorizeAttribute works (I presume this is what you meant?) will block the page from rendering, so this should prevent Blazor from starting altogether - you will get redirected away to authenticate. Once your users are past that gate though - be aware that Blazor handles [Authorize] on child controls differently: 
Only use
[Authorize]on@pagecomponents reached via the Blazor Router. Authorization is only performed as an aspect of routing and not for child components rendered within a page. To authorize the display of specific parts within a page, useAuthorizeViewinstead.
(this doesn't seem to be your case, but I'd put it here just in case)
I'm not entirely sure if I understand the statement here: circuit is the term MS uses to identify the slice of server where your application instance lives while it's displayed to a client. The connection is maintained via websockets and is generally scoped to a session (check out cookies and url parameters to your /_blazor endpoint). The user is however not guaranteed to have same circuit throughout application lifetime (due to connection issues or server load-balancer config) - and it is fine, you are expected to handle state persistance across circuits yourself.
It's probably best to follow Blazor's security management page: you have a couple of options to ensure you're catering for authenticated users:
<AuthorizeView> to control what gets rendered:<AuthorizeView>
<Authorized>
    <button type="button" onclick="MutateDatabase">MutateDatabase</button>
</Authorized>
<NotAuthorized>
    <p>You're not signed in.</p>
</NotAuthorized>
</AuthorizeView>
You can technically use an if (user.IsInRole()) statement, but that might not get updated when User AuthenticationState changes. 
If this is not sufficient, you can either pick up cascading AuthenticationState parameter or look at implementing your own AuthenticationStateProvider 
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With