[Comment] ASP.NET Core Boilerplate

[RehanSaeed]

https://rehansaeed.com/asp-net-mvc-boilerplate/

[RehanSaeed]

Muhammad Rehan Saeed commented on 2015-08-02 18:44:32

yeah you right,but i talking about debugging in local machine .In your template custom error is off but when error is happen show me error page instead of yellow page,how can be possible?

Thanks for highlighting this issue Reza! I have created a fix for the next version. the httpErrors section in Web.config has an attribute called existingResponse which needs to be set to PassThrough in debug mode and Replace in release mode. I have also updated the Web.Release.config with the above transformation.

[RehanSaeed]

G- commented on 2015-08-13 22:55:44

Hi Rehan, this is an awesome template, and helpful learning.

I am running into some problem with Web Api 2 (MVC5). In WebApiConfig.cs, these two lines are broken.

config.SuppressDefaultHostAuthentication();
config.Filters.Add(new HostAuthenticationFilter(OAuthDefaults.AuthenticationType));

I know now that maybe it is too early for me to use this template... But, is there anything I can, or need, to do specifically, to open my web api routes? I have kinda been stuck and my spinning wheels on this... Thanks, and great job!

G-

[RehanSaeed]

Founder commented on 2015-08-14 12:19:29

Hi

Do you have a link to the latest vsix? Visual Studio Gallery is slow to update

[RehanSaeed]

Muhammad Rehan Saeed commented on 2015-08-14 19:31:36

Hi Rehan, this is an awesome template, and helpful learning.

I am running into some problem with Web Api 2 (MVC5). In WebApiConfig.cs, these two lines are broken.

config.SuppressDefaultHostAuthentication();
config.Filters.Add(new HostAuthenticationFilter(OAuthDefaults.AuthenticationType));

I know now that maybe it is too early for me to use this template... But, is there anything I can, or need, to do specifically, to open my web api routes? I have kinda been stuck and my spinning wheels on this... Thanks, and great job!

G-

What errors are you getting? Are you getting VS errors, browser errors, Elmah errors? A lot of people have trouble with CSP because it blocks things by default. See my blog post on CSP for more info and see your browser console for any errors.

Hope that helps.

[RehanSaeed]

Muhammad Rehan Saeed commented on 2015-08-14 19:33:33

Hi

Do you have a link to the latest vsix? Visual Studio Gallery is slow to update

I assume you are talking about the ASP.NET 5 MVC 6 release which is version 2.0.0. I have to manually submit it to the VS gallery. I'm just doing some final testing, you will see it in a day or two :).

[RehanSaeed]

Dave Black commented on 2015-08-17 03:12:36

You, sir, are a star.

[RehanSaeed]

shahram iranian commented on 2015-08-21 07:55:30

thanks for u. very good

[RehanSaeed]

Diin commented on 2015-08-25 00:10:13

I have now been able able to modify your boilerplate mvc5 and have added identity 2 - Int for userId and mysql as backend I had some hiccups like RenderActions were trying to redirect - to put backslash- I now found a way out. to comment whole controllers with [NoTrailingSlash]. Is that the way to go if one does not want the backslash for the whole application?

[RehanSaeed]

Muhammad Rehan Saeed commented on 2015-08-25 08:00:35

I have now been able able to modify your boilerplate mvc5 and have added identity 2 - Int for userId and mysql as backend I had some hiccups like RenderActions were trying to redirect - to put backslash- I now found a way out. to comment whole controllers with [NoTrailingSlash]. Is that the way to go if one does not want the backslash for the whole application?

Look at the RedirectToCanonicalUrlAttribute in FilterConfig.cs. Read the comments for the class and it will become clear.

[RehanSaeed]

Matt commented on 2015-08-26 14:42:42

I am running into an issue displaying a pdf file in the browser using this template. In IE it always prompting to save instead displaying in browser. It seems to be related to this template as I can create new MVC web(non-boilerplate) app and use same code to display pdf and it works fine in all browsers. Is there a setting that would block this that I am missing somewhere? Thanks

[RehanSaeed]

Muhammad Rehan Saeed commented on 2015-08-26 15:00:35

I am running into an issue displaying a pdf file in the browser using this template. In IE it always prompting to save instead displaying in browser. It seems to be related to this template as I can create new MVC web(non-boilerplate) app and use same code to display pdf and it works fine in all browsers. Is there a setting that would block this that I am missing somewhere? Thanks

Take a look at the NWebSec XDownloadOptionsAttribute. It adds the X-Download-Options HTTP header. When users save the page, stops them from opening it and forces a save and manual open. ASP.NET Core Boilerplate is all about being secure by default but if you have a specific requirement then feel free to remove this HTTP header from specific areas where you need to open the PDF directly.

[RehanSaeed]

Matt commented on 2015-08-26 15:16:21

I left it enabled for the site and for the one particular method I set [XDownloadOptions(Enabled=false)] and that seemed to be what I needed.

[RehanSaeed]

Muhammad Rehan Saeed commented on 2015-08-26 15:20:53

I left it enabled for the site and for the one particular method I set [XDownloadOptions(Enabled=false)] and that seemed to be what I needed.

Cool, glad you got it sorted.

[RehanSaeed]

Matt commented on 2015-09-08 22:03:23

How do you allow Google analytics to the csp settings?

[RehanSaeed]

Jeremy Moore commented on 2015-09-08 23:01:44

I can only seem to run this in IIS Express from within Visual Studio. When I publish to localhost, it only displays a blank page. I tried commenting out the filers in the FilterConfig, but no luck. I am new to this stuff and have a feeling it's something very basic, but I can't seem to figure it out. Any help would be appreciated. Thanks for providing this great template!

[RehanSaeed]

Muhammad Rehan Saeed commented on 2015-09-09 06:36:59

How do you allow Google analytics to the csp settings?

You just need to add the Google Analytics URL to script-src. You can check the Chrome browsers console and it will tell you what you need exactly.

[RehanSaeed]

Muhammad Rehan Saeed commented on 2015-09-09 06:39:31

I can only seem to run this in IIS Express from within Visual Studio. When I publish to localhost, it only displays a blank page. I tried commenting out the filers in the FilterConfig, but no luck. I am new to this stuff and have a feeling it's something very basic, but I can't seem to figure it out. Any help would be appreciated. Thanks for providing this great template!

There are certain settings in the system.webServer section of Web.config that controls IIS, that are not available for older versions of IIS. See the Compatibility section of ReadMe.html.

[RehanSaeed]

Matt commented on 2015-09-09 15:43:14

You just need to add the Google Analytics URL to script-src. You can check the Chrome browsers console and it will tell you what you need exactly.

Using Chrome I noticed that firebug is also being blocked: chrome-extension://bmagokdooijbeehmkpknfglimnifench/firebug-lite.js:15309 Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content

[RehanSaeed]

Muhammad Rehan Saeed commented on 2015-09-09 16:34:19

Using Chrome I noticed that firebug is also being blocked: chrome-extension://bmagokdooijbeehmkpknfglimnifench/firebug-lite.js:15309 Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content

That makes perfect sense. FireBug is injecting script into the page. It's worth noting CSP blocks a lot of stuff like this e.g. evil government/ISP/router/Proxy injected scripts and browser extensions. Most of the time, this is exactly what you want...except this time.

You should stick to using the standard browser developer tools (I personally have always found FireBug to be a bit slow so I ditched it). I wouldn't recommend it but you could also disable CSP temporarily or remove it entirely.

[RehanSaeed]

Jeremy Moore commented on 2015-09-09 21:58:10

There are certain settings in the system.webServer section of Web.config that controls IIS, that are not available for older versions of IIS. See the Compatibility section of ReadMe.html.

Works! Should've read that doc better. Thanks for replying so fast and not calling me a nitwit for missing it in the readme file!

[RehanSaeed]

Rob M commented on 2015-09-30 10:44:25

Are you planning to make it a layered architecture or domain design, which will be a little bit cleaner I believe.

[RehanSaeed]

Muhammad Rehan Saeed commented on 2015-09-30 14:23:18

Are you planning to make it a layered architecture or domain design, which will be a little bit cleaner I believe.

I'm not sure exactly what you are asking. There is not really much code in the project templates to add any layers. I've tried to keep it as simple as possible and only writing services where I absolutely need them. All services use IoC and are fully testable.

I'm trying to break up the MVC 6 project template using a feature selection wizard so that you only get the bare minimum you want. The MVC 5 project will stay as is for now. I'm still in the process of splitting off things into features you can select.

[RehanSaeed]

Patrik Johansson commented on 2015-10-02 11:50:12

Rob, you should probably have a look here for that.

http://www.aspnetboilerplate.com/

[RehanSaeed]

Muhammad Rehan Saeed commented on 2015-10-02 12:00:36

Rob, you should probably have a look here for that.

http://www.aspnetboilerplate.com/

Yes, my template focuses on the basics. Look at Patrik's suggestion for a fuller solution.

[RehanSaeed]

Rob M commented on 2015-10-02 14:09:21

I think this solution is more comprehensive than the one suggested by Patrick. Although that layered breakdown is what I would like to see in this solution.

I am moving things such as services etc. to their own class library projects and that makes this template look much cleaner, hence I suggested/asked that.

Anyway, thanks for the suggestion :-)

[RehanSaeed]

Matt commented on 2015-10-13 20:15:12

Using your template for a 2nd time, it's nice :). My next project utilizes telerik mvc controls. I added all the kendo CDN scripts and set the domain for kendo cdn property in CspScriptSrcAttribute. Facing an error "Error: Invalid template:'" for the kendo scripts. Have you seen this? Any work around other than setting unsafeeval false? Thanks

[RehanSaeed]

Muhammad Rehan Saeed commented on 2015-10-14 09:53:22

Using your template for a 2nd time, it's nice :). My next project utilizes telerik mvc controls. I added all the kendo CDN scripts and set the domain for kendo cdn property in CspScriptSrcAttribute. Facing an error "Error: Invalid template:'" for the kendo scripts. Have you seen this? Any work around other than setting unsafeeval false? Thanks

If CSP is causing any problems, the browser will tell you in the F12 developer tools console. It will even tell you how to change your CSP policy to fix the problem. If this is MVC 5, you should also see an error appear in Elmah.

[RehanSaeed]

Valentin commented on 2015-10-22 10:34:54

Great work man. Keep it up!

[RehanSaeed]

Laurentiu commented on 2015-10-23 14:18:32

Hi,

Is Boilerplate multi-model friendly? What I want to say? In real life apps, we have this kind of scenario: on views (starting with Index) we need to pull and render data from various models at a time (e.g. data from data from Candidates and Employers tables) and even mode from their "child" models. Obvious we do this with ViewModel(s) manually, but is not always as easy as we can espect and is prone to errors. Not to mention the entry/edit data scenario when we have to deal with more than the main model (e.g. an entry form with more than one "child" subforms).

Thnx.

[RehanSaeed]

Muhammad Rehan Saeed commented on 2015-10-26 07:00:11

Hi,

Is Boilerplate multi-model friendly? What I want to say? In real life apps, we have this kind of scenario: on views (starting with Index) we need to pull and render data from various models at a time (e.g. data from data from Candidates and Employers tables) and even mode from their "child" models. Obvious we do this with ViewModel(s) manually, but is not always as easy as we can espect and is prone to errors. Not to mention the entry/edit data scenario when we have to deal with more than the main model (e.g. an entry form with more than one "child" subforms).

Thnx.

It's annoying but creating your own ViewModel is the best way. Alternatively, you can sacrifice a tiny bit of performance and use the ViewBag. I don't think there is much I can do to improve this situation.

[RehanSaeed]

Lincoln Pires commented on 2015-11-04 10:27:45

Hi,

Could you please post a change log, when you update the template?

Tks!

The correct link is under the header "Release Notes and To-Do List" above.

[RehanSaeed]

Matt commented on 2015-11-16 22:05:46

Hi, I ran across another issue using this template. I am using identity 2.0 and create a user and generate email confirmation token that sends to user's email for them to verify. The issue I am seeing is that when verifying the email, the token is always invalid. I noticed when debugging the confirmemail action that the token comes back as a lowered string which is why it is invalid. Would this be caused from RouteTable.Routes.LowercaseUrls and or routes.LowercaseUrls = true? Please advise? Thanks

[RehanSaeed]

Matt commented on 2015-11-17 13:50:47

Hi, I ran across another issue using this template. I am using identity 2.0 and create a user and generate email confirmation token that sends to user's email for them to verify. The issue I am seeing is that when verifying the email, the token is always invalid. I noticed when debugging the confirmemail action that the token comes back as a lowered string which is why it is invalid. Would this be caused from RouteTable.Routes.LowercaseUrls and or routes.LowercaseUrls = true? Please advise? Thanks

I ended up solving my issue by sitting RedirectToCanonicalUrlAttribute properties for my controller method. Might want to update read me to state that identity email confirmation tokens will fail confirmation with "invalid token" error if the lowercaseUrls is not set for the confirm email method. Thanks

[RehanSaeed]

Jan Larsen commented on 2015-11-25 11:13:45

No need to be sorry, CSP is pretty complicated. It looks like you are using an in-line script tag in your view, which is not allowed by default in CSP because its a security risk. To fix this problem you have two options:

1. Move your script into a separate JavaScript file and link to it. This will work because you have the 'self' parameter set on your 'script-src' directive in your CSP policy. This is also best practice anyway.
2. You can pass the 'unsafe-inline' parameter to the 'script-src' directive, which will allow in-line scripts to run but as the name implies it is unsafe and you will not be getting the full benefit of using CSP.

Hello

Could you please elborate on how this "Move your script into a separate JavaScript file and link to it. This will work because you have the self parameter set on your script-src directive in your CSP policy. This is also best practice anyway." is done. I'm pretty new to js and i have added Identity framework to you solution but my log out link on the default _LoginPartial.cshtml wount execute...... Actual i can't get any script to execute on others pages as well.... what am i missing?

[RehanSaeed]

Muhammad Rehan Saeed commented on 2015-12-04 08:47:10

Hello

Could you please elborate on how this "Move your script into a separate JavaScript file and link to it. This will work because you have the self parameter set on your script-src directive in your CSP policy. This is also best practice anyway." is done. I'm pretty new to js and i have added Identity framework to you solution but my log out link on the default _LoginPartial.cshtml wount execute...... Actual i can't get any script to execute on others pages as well.... what am i missing?

I recommend you spend some time learning about JavaScript and CSP to save you time in the long run.

[RehanSaeed]

Bernd commented on 2015-12-14 15:35:32

If CSP is causing any problems, the browser will tell you in the F12 developer tools console. It will even tell you how to change your CSP policy to fix the problem. If this is MVC 5, you should also see an error appear in Elmah.

Telerik Ui for MVC is opening securitiy holes. If you want to compile templates, enable "unsafe-eval". As stated here: http://docs.telerik.com/kendo-ui/troubleshoot/content-security-policy Besides that the HTML helper is gnereating inline script. you need to enable unsafe-inline too.

[RehanSaeed]

Matt commented on 2015-12-17 14:09:15

Added identity and owin to my project and I'm testing login page with a return url and I keep getting a login loop. I tested the same in a regular MVC project with identity installed and do not get this issue. Any setting I may have missed that would cause this?

[RehanSaeed]

Matt commented on 2015-12-17 15:55:46

The login loop has something to do with add seo optimization filter.

[RehanSaeed]

Matt commented on 2015-12-17 16:07:04

routes.LowercaseUrls = true in routeconfig will cause a login loop when using a redirect url.

[RehanSaeed]

Bernd commented on 2015-12-21 18:47:33

One security option is missing in the template.

MvcHandler.DisableMvcResponseHeader = true;

See: http://www.acunetix.com/vulnerabilities/web/asp-net-mvc-version-disclosure

[RehanSaeed]

Kerem commented on 2015-12-24 12:41:22

Hi Rehan,

There is a problem in MVC6 RC1 Update 1 template. RazorPreCompileModule throws missing assembly error. I've added Microsoft.AspNet.Razor.Runtime.Precompilation to dependencies and added a using line for it in RazorPreCompilation.cs. That fixed the problem.

Great template. Thanks for your efforts.

[RehanSaeed]

JFL commented on 2016-01-05 23:00:44

routes.LowercaseUrls = true in routeconfig will cause a login loop when using a redirect url.

Hi Matt

Did you solve it? In Login.cshtml i changed my Html.BeginForn to:

@using (Html.BeginForm("Login", "Account", FormMethod.Post, new { @class = "form-horizontal", role = "form" }))

And added(note returnurl is lowercase):

@Html.Hidden("returnurl", new { returnurl = ViewBag.ReturnUrl })

Btw. Have you solved the problem where the logoff feature is not working(Does not fire)? The current code looks like this:

using (Html.BeginForm("LogOff", "Account", FormMethod.Post, new { id = "logoutForm", @class = "navbar-right" }))
{
    @Html.AntiForgeryToken()

    @Html.ActionLink("Hello " + User.Identity.GetUserName() + "!", "Index", "Manage", routeValues: null, htmlAttributes: new { title = "Manage" })

    [Log off](document.getElementById('logoutForm').submit())
}

I'm sure it hase something to do with javascript:document.getElementById('logoutForm').submit() and CSP but trying to move it to site.js has not helped me... Anyone?

[RehanSaeed]

Muhammad Rehan Saeed commented on 2016-01-07 16:02:02

Telerik Ui for MVC is opening securitiy holes. If you want to compile templates, enable "unsafe-eval". As stated here: http://docs.telerik.com/kendo-ui/troubleshoot/content-security-policy Besides that the HTML helper is gnereating inline script. you need to enable unsafe-inline too.

That's sad...they should really sort that out.

[RehanSaeed]

Muhammad Rehan Saeed commented on 2016-01-07 16:19:01

routes.LowercaseUrls = true in routeconfig will cause a login loop when using a redirect url.

I've updated the NuGet package to include a new NoLowercaseQueryStringAttribute attribute. This should be applied to the AccountController if you are using ASP.NET Identity. You will then no longer have any problems.

[RehanSaeed]

Muhammad Rehan Saeed commented on 2016-01-07 16:25:37

One security option is missing in the template. MvcHandler.DisableMvcResponseHeader = true; See: http://www.acunetix.com/vulnerabilities/web/asp-net-mvc-version-disclosure

I believe, using NWebSec negates the need for this.

[RehanSaeed]

Muhammad Rehan Saeed commented on 2016-01-07 16:28:09

Hi Matt

Did you solve it? In Login.cshtml i changed my Html.BeginForn to:

@using (Html.BeginForm("Login", "Account", FormMethod.Post, new { @class = "form-horizontal", role = "form" }))

And added(note returnurl is lowercase):

@Html.Hidden("returnurl", new { returnurl = ViewBag.ReturnUrl })

Btw. Have you solved the problem where the logoff feature is not working(Does not fire)? The current code looks like this:

using (Html.BeginForm("LogOff", "Account", FormMethod.Post, new { id = "logoutForm", @class = "navbar-right" }))
{
    @Html.AntiForgeryToken()

    @Html.ActionLink("Hello " + User.Identity.GetUserName() + "!", "Index", "Manage", routeValues: null, htmlAttributes: new { title = "Manage" })

    [Log off](document.getElementById('logoutForm').submit())
}

I'm sure it hase something to do with javascript:document.getElementById('logoutForm').submit() and CSP but trying to move it to site.js has not helped me... Anyone?

I've updated the NuGet package to include a new NoLowercaseQueryStringAttribute attribute. This should be applied to the AccountController if you are using ASP.NET Identity. You will then no longer have any problems.

[RehanSaeed]

Muhammad Rehan Saeed commented on 2016-01-07 16:55:44

Hi Rehan,

There is a problem in MVC6 RC1 Update 1 template. RazorPreCompileModule throws missing assembly error. I've added "Microsoft.AspNet.Razor.Runtime.Precompilation" to dependencies and added a using line for it in RazorPreCompilation.cs. That fixed the problem.

Great template. Thanks for your efforts.

Thanks, that will be fixed in the next update.

[RehanSaeed]

jfl commented on 2016-01-07 18:14:03

I've updated the NuGet package to include a new NoLowercaseQueryStringAttribute attribute. This should be applied to the AccountController if you are using ASP.NET Identity. You will then no longer have any problems.

Is the logoff also solved when using identity?

[RehanSaeed]

Matt commented on 2016-01-07 18:39:49

Hi Matt

Did you solve it? In Login.cshtml i changed my Html.BeginForn to:

@using (Html.BeginForm("Login", "Account", FormMethod.Post, new { @class = "form-horizontal", role = "form" }))

And added(note returnurl is lowercase):

@Html.Hidden("returnurl", new { returnurl = ViewBag.ReturnUrl })

Btw. Have you solved the problem where the logoff feature is not working(Does not fire)? The current code looks like this:

using (Html.BeginForm("LogOff", "Account", FormMethod.Post, new { id = "logoutForm", @class = "navbar-right" }))
{
    @Html.AntiForgeryToken()

    @Html.ActionLink("Hello " + User.Identity.GetUserName() + "!", "Index", "Manage", routeValues: null, htmlAttributes: new { title = "Manage" })

    [Log off](document.getElementById('logoutForm').submit())
}

I'm sure it hase something to do with javascript:document.getElementById('logoutForm').submit() and CSP but trying to move it to site.js has not helped me... Anyone?

I'm not having any issues with logging off.

[RehanSaeed]

JFL commented on 2016-01-13 22:39:22

I am using paypal in my application buy nothing happen when im calling return Redirect("https://www.paypal.com/cgi-bin/webscr?cmd=_express-checkout&token=mytoken") (mytoken removed). If i use the link in browser paypal is called correctly

What should i do to be able to call external websites with this template?

Love the template btw.