Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
[Question] Blazor WASM - Authorize streaming static video files.
See original GitHub issueInfo: using the default ASP.NET (6, preview 1) Hosted Blazor WASM Visual Studio template with (IdentityServer4) individual acounts.
I’ve done some research on authorizing streaming static video files in ASP.NET Core / Blazor WASM from a controller but I don’t get it to work, it results in a 401 error. [Authorize] works on controllers accessed with HttpClient and gRPC but not when I stream a static video file from outside the wwwroot directory (see code below).
The code/streaming works without the [authorize] attribute , but then the access (obviously) isn’t authorized so when you know the filename and the controller’s endpoint anybody can download the video file without authorization. When an authorized user looks up the endpoint and file name from the browser’s DevTools he/she can use (and share) that link in an unauthorized session to download the file.
When I follow this code (Static file authorization) from Microsoft Docs https://docs.microsoft.com/en-us/aspnet/core/fundamentals/static-files?view=aspnetcore-5.0#static-file-authorization Blazor WASM won’t load. Probably because the AuthorizationOptions.FallbackPolicy property isn’t supported with Blazor WASM, see: https://docs.microsoft.com/en-us/aspnet/core/blazor/security/webassembly/?view=aspnetcore-5.0#require-authorization-for-the-entire-app
I think the problem is that the HTML 5 <Video> tag isn’t a HttpClient request, so the security headers aren’t being sent to the server/controller. The same problem arises when you want to download a file from Blazor WASM from a controller.
Any suggestions on how to authorize static files in Blazor WASM would be much appreciated.
Client code:
<video id="videostream" poster="@videoPoster"
class="videostyle"
oncontextmenu="return false;"
controls
disablePictureInPicture
controlsList="nodownload">
<source src="/VideoStream/@videoFileName" type="@ContentType;codecs=@Codecs" />
Your browser does not support the video tag.
</video>
/Server/Controllers/VideoStreamController.cs
using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Hosting;
using Microsoft.AspNetCore.Mvc;
using Microsoft.Extensions.FileProviders;
using Microsoft.Extensions.Logging;
using System.IO;
namespace Mediatheek.Server.Controllers
{
//[ApiController]
[Route("[controller]")]
public class VideoStreamController : ControllerBase
{
private readonly IWebHostEnvironment env;
private readonly ILogger<VideoStreamController> logger;
public VideoStreamController(ILogger<VideoStreamController> logger, IWebHostEnvironment env)
{
this.logger = logger;
this.env = env;
}
//[Authorize] // Doesn't work.
[HttpGet("{file}")]
public IActionResult StreamVideo(string file)
{
var provider = new PhysicalFileProvider(env.ContentRootPath);
var videoPathFile = Path.Combine(provider.Root, "Files", "Videos", $"{file}.mp4");
var fileResponse = PhysicalFile(videoPathFile, "application/octet-stream", true); // true = EnableRangeProcessing
return fileResponse;
}
}
}
Issue Analytics
- State:
- Created 3 years ago
- Comments:16 (16 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
This stack overflow post (where they also are unable to get a header sent) sounds similar to what you are trying, in case it helps in anyway: https://stackoverflow.com/questions/56146913/using-token-based-authentication-for-html5-video
Right, I don’t mean to imply that you haven’t done your due diligence in any way, it just sounds like the constraints you’ve chosen (html5 video tag) which doesn’t have any easy way to send an authorization header (at least in doing a quick google search), means you cannot mark your controller actions with an authorize that requires a jwt token. My main point is these are all app specific choices you’ve made, you don’t have to use a video tag, nor do you have to use jwt on the server, but this combination doesn’t appear to do what you want.