Stax.UserAgentBasedRouteBlocking
1.0.1-beta
See the version list below for details.
dotnet add package Stax.UserAgentBasedRouteBlocking --version 1.0.1-beta
NuGet\Install-Package Stax.UserAgentBasedRouteBlocking -Version 1.0.1-beta
<PackageReference Include="Stax.UserAgentBasedRouteBlocking" Version="1.0.1-beta" />
paket add Stax.UserAgentBasedRouteBlocking --version 1.0.1-beta
#r "nuget: Stax.UserAgentBasedRouteBlocking, 1.0.1-beta"
// Install Stax.UserAgentBasedRouteBlocking as a Cake Addin
#addin nuget:?package=Stax.UserAgentBasedRouteBlocking&version=1.0.1-beta&prerelease
// Install Stax.UserAgentBasedRouteBlocking as a Cake Tool
#tool nuget:?package=Stax.UserAgentBasedRouteBlocking&version=1.0.1-beta&prerelease
User Agent Based Route Blocking
Summary
This NuGet library allows you to block certain routes based on whether or not they have a certain user agent. It is a very simple way of doing API based authorisation. It also has the ability to allow certain referrers through, which can help enable your swagger to work for example, or help limit user agents coming from a certain site.
An example might be you want to limit anyone from hitting https://api.example.com/v1/create-user.json unless they have the user agent EXAMPLE.COM-FRONTEND which your front end client sends. You could then also only allow requests with that user agent from https://example.com and also https://api.example.com (the latter which would allow your swagger to work for example).
Why I made this
I wanted a simple way to ensure only my frontend and certain clients could call my API. As a quick and easy way, getting my frontend and API consumers to send a custom user agent was a simple way to solve the problem without using full blown authentication.
How to use
Configuration is set through your appsettings.json (or you can inject as environment variables). Examples on how to configure your appsettings.json to make this work are below.
To enable, you then need to add app.UseUserAgentBasedRouteBlocking(); in your Configure method in your Program.cs/Startup.cs file.
Some how to use notes
- The path check does a "starts with" check. Meaning to protect
https://api.example.com/v1you would enter inUserAgentBasedRouteBlocking:Paths"/v1". This also means it acts like a wildcard meaning anything which starts with "/v1" is protected. Eg:/v1/create.json,/v1/upload.jsonetc - User agent does a contains check, meaning
Mozillawould coverMozilla 5.0 - Linuxfor example. - Referrer does a "contains" check, meaning
https://example.com/a-pagewould be covered by settinghttps://example.comin your config
To use this, you need to
appsettings json configuration
In your appsettings.json you need a structure of:
{
"UserAgentBasedRouteBlocking": {
"Paths": [
LIST
OF
PATHS
TO
CHECK
],
"Referrer": {
"AllowAll": bool - optional defaults to false. If true the Allowed list below is ignored.
"Allowed": [
LIST
OF
ALLOWED
REFERRERS
]
},
"UserAgent": {
"AllowAll": bool - optional defaults to false. If true the Allowed list below is ignored.
"Allowed": [
LIST
OF
ALLOWED
USER
AGENTS
]
}
}
}
Below is an example which:
- Checks the paths,
/v1/hello-world.json,/v1/diagnosticsand/v2- It is important to note that this checks the start of the route, so for example
/v2/api.jsonwould be covered by/v2
- It is important to note that this checks the start of the route, so for example
- Allows requests from
https://google.com,https://facebook.com,https://apiconsumer.com - Allows requests from user agents
API Consumer User AgentandAPI Consumer2 User Agent
{
"UserAgentBasedRouteBlocking": {
"Paths": [
"/v1/hello-world.json",
"/v1/diagnostics",
"/v2/"
],
"Referrer": {
"AllowAll": false,
"Allowed": [
"https://google.com",
"https://facebook.com",
"https://apiconsumer.com"
]
},
"UserAgent": {
"AllowAll": false,
"Allowed": [
"API Consumer User Agent",
"API Consumer2 User Agent"
]
}
}
}
As you have provided allowed lists for user agents and referrers, you do not need to set the AllowAll property for each.
Startup.cs/Program.cs
In your public void Configure(IApplicationBuilder app, IWebHostEnvironment env) you need to add:
app.UseUserAgentBasedRouteBlocking();
So your Configure method may look like:
public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
app.UseUserAgentBasedRouteBlocking(); <--- added
app.UseSwagger();
app.UseSwaggerUI(c => c.SwaggerEndpoint("/swagger/v1/swagger.json", "Swagger"));
app.UseRouting();
app.UseCors();
app.UseAuthorization();
}
| Product | Versions Compatible and additional computed target framework versions. |
|---|---|
| .NET | net6.0 is compatible. net6.0-android was computed. net6.0-ios was computed. net6.0-maccatalyst was computed. net6.0-macos was computed. net6.0-tvos was computed. net6.0-windows was computed. net7.0 was computed. net7.0-android was computed. net7.0-ios was computed. net7.0-maccatalyst was computed. net7.0-macos was computed. net7.0-tvos was computed. net7.0-windows was computed. net8.0 was computed. net8.0-android was computed. net8.0-browser was computed. net8.0-ios was computed. net8.0-maccatalyst was computed. net8.0-macos was computed. net8.0-tvos was computed. net8.0-windows was computed. |
-
net6.0
- Microsoft.AspNetCore.Server.Kestrel (>= 2.2.0)
NuGet packages
This package is not used by any NuGet packages.
GitHub repositories
This package is not used by any popular GitHub repositories.
| Version | Downloads | Last updated |
|---|---|---|
| 1.1.0 | 799 | 1/16/2023 |
| 1.0.1-beta | 187 | 12/24/2022 |
| 1.0.0-beta | 133 | 12/24/2022 |