Merge pull request #12 from DuendeSoftware/roland/securesss

Secure ServerSideSessions page in the same way as Diagnostics

Author: RolandGuijt

.gitignore

@@ -0,0 +1,5 @@
+################################################################################
+# This .gitignore file was automatically created by Microsoft(R) Visual Studio.
+################################################################################
+
+/.vs

Pages/Diagnostics/Index.cshtml.cs

@@ -16,16 +16,9 @@ public class Index : PageModel
 
     public async Task<IActionResult> OnGet()
     {
-        var localAddresses = new List<string?> { "127.0.0.1", "::1" };
-        if(HttpContext.Connection.LocalIpAddress != null)
-        {
-            localAddresses.Add(HttpContext.Connection.LocalIpAddress.ToString());
-        }
-
-        if (!localAddresses.Contains(HttpContext.Connection.RemoteIpAddress?.ToString()))
-        {
+        //Replace with an authorization policy check
+        if (HttpContext.Connection.IsRemote())
             return NotFound();
-        }
 
         View = new ViewModel(await HttpContext.AuthenticateAsync());
 

Pages/Extensions.cs

@@ -39,4 +39,22 @@ internal static IActionResult LoadingPage(this PageModel page, string? redirectU
 
         return page.RedirectToPage("/Redirect/Index", new { RedirectUri = redirectUri });
     }
+
+    /// <summary>
+    /// Check for a remote connection (non-localhost)
+    /// </summary>
+    internal static bool IsRemote(this ConnectionInfo connection)
+    {
+        var localAddresses = new List<string?> { "127.0.0.1", "::1" };
+        if (connection.LocalIpAddress != null)
+        {
+            localAddresses.Add(connection.LocalIpAddress.ToString());
+        }
+
+        if (!localAddresses.Contains(connection.RemoteIpAddress?.ToString()))
+        {
+            return true;
+        }
+        return false;
+    }
 }

Pages/ServerSideSessions/Index.cshtml.cs

@@ -35,8 +35,12 @@ public IndexModel(ISessionManagementService? sessionManagementService = null)
         [BindProperty(SupportsGet = true)]
         public string? Prev { get; set; }
 
-        public async Task OnGet()
+        public async Task<ActionResult> OnGet()
         {
+            //Replace with an authorization policy check
+            if (HttpContext.Connection.IsRemote())
+                return NotFound();
+
             if (_sessionManagementService != null)
             {
                 UserSessions = await _sessionManagementService.QuerySessionsAsync(new SessionQuery
@@ -48,13 +52,18 @@ public async Task OnGet()
                     SubjectId = SubjectIdFilter
                 });
             }
+            return Page();
         }
 
         [BindProperty]
         public string? SessionId { get; set; }
 
         public async Task<IActionResult> OnPost()
         {
+            //Replace with an authorization policy check
+            if (HttpContext.Connection.IsRemote())
+                return NotFound();
+
             ArgumentNullException.ThrowIfNull(_sessionManagementService);
 
             await _sessionManagementService.RemoveSessionsAsync(new RemoveSessionsContext {