Sunday, November 13, 2016

Configure Azure Mobile App Authentication Server-Side for Use With JavaScript Clients

Azure Mobile Apps offer a great way to secure your application using OAuth and known 3rd party providers like Twitter, Facebook, Microsoft, and Google. This takes a lot of the manual authorization implementation requirements and shits responsibilities to these providers. This is a great way to secure you JavaScript web application quickly and without a lot of work. 

The focus of this post is to talk about the server-side security configurations required to allow your JS App to authenticate with the 3rd party providers, and then redirect back to your application successfully. If you want an overall tutorial on setting up the providers and working with the JavaScript SDK, see the following links: 
After the providers are configured for your Azure Mobile App instance, and you have the JavaScript SDK downloaded and being called from your JS Application there are (2) important server-side configurations required for allowing calling the the providers and redirecting back to your calling application successfully. Without these setting below, you'll probably get a HTTP 403 Forbidden error like the following after successfully authenticating:
You do not have permission to view this directory or page

1. Configure CORS

You'll need to whitelist your application URLs that are being called, so that after authenticating with the 3rd party provider it can callback successfully to your application with the user's information. This includes localhost values for testing on your dev machine. To configure CORS in Azure:
  1. Navigate to the Azure Portal
  2. Select your Azure Mobile App instance under Resources
  3. In the Search box type in CORS and select it from the results
  4. Enter in all of the applicable whitelist URLs including local dev values (note: no trailing slashes at the end or Azure will complain it is not a valid URL)
  5. Click Save at the top to save the changes

Note: You can use the "*" value to allow all domains and URLs but this is NOT advised as it nullifies this security aspect. The only time this is recommended is for debugging security issues to widen the allowable URLs to see if this fixes the problem. If this works, it's recommended to then remove and determine the missing values.

2. Configure External Redirect URLs

You'll need to whitelist the same loopback URLs used in the step above for redirect. Without these values you might successfully authenticate with the provider, but your pop-up window will display the "You do not have permission to view this directory or page" error and not finish back to the caller.
  1. Navigate to the Azure Portal
  2. Select your Azure Mobile App instance under Resources
  3. In the Search box type in Resource explorer, select it from the results and press "GO->" to launch the explorer (opens in a new tab/window)
  4. Click the + to expand the config section and select authsettings
  5. Click on the Edit button at the top
  6. Modify the allowedExternalRedirectUrls to contain an array of string values with your whitelist URLs including local dev testing URLs
  7. Click PUT at the top of the explorer to save the changes

To ensure my values were used, I preformed the additional step of selecting Restart from the Overview page of the Azure Mobile App instance since I was just in development (and not in prod). 

This may not be required, but I wanted to make sure everything was working as I had configured. Once these steps were completed, the authentication process worked successfully.

Friday, September 30, 2016

Ensuring TypeScript Files Are Served to the Browser for Debugging Using ASP.NET Core

I'm working on an ASP.NET Core site that's an Angular + TypeScript app leveraging all of the goodies in the new web template including the use of a task runner like Gulp. As I'm running my site I wanted to debug my TypeScript files in the Chrome debugger, but upon selecting the file it appeared blank. The .js files appeared correctly, but not the TypeScript files. There are just a few steps to follow to get the all the needed files to load into the browser properly.

1. Update startup.cs Configuration

Ensure the ASP.NET core application is set to serve up static files. To do this, configure the middleware to enable static files to be served to wwwroot. This makes wwwroot servable. You should also depending on the site your creating have the middleware configured to serve up a default home page to your base URL. Odds are you already had both of these steps complete or your site wouldn't even work, but to be thorough make sure you have the following in startup.cs:

2. Update tsconfig.json

If you are using tsconfig.json as well as a task runner like a gulp file, then you are probably leveraging tsconfig to build and transpile the TypeScript files and gulp to deploy them. If this is how you have your application setup, then you'll want to ensure that the sourcemap ( files are also generated. This will generate the .map files and add the proper reference at the bottom of the .js file to the corresponding map file. These map files let the debugger map between the emitted JavaScript code and the TypeScript files it was transpiled from originally. The .map reference will look like the following (you don't have to add this manually - it's just for reference):

In order to create the map file, make sure the following setting is in your tsconfig.json file and set to 'true':

3. Update gulp.js tasks

The last step is to ensure that the TypeScript files are copied out to your deployment target (i.e. wwwroot). Typically using gulp you'd have both development and release configurations. Ensure that for your dev settings or for whenever you want to debug TypeScript (.ts) files, you add a command to also copy out the TypeScript files as well. Normally only the .js files are needed by the browser, so often we'll overlook copying out the TypeScript files, but this is important so the browser has access and can display them correctly.

That should do it - now when you open the Chrome debugger and click on a TypeScript file it should load properly.

Wednesday, June 8, 2016

Is ASP.NET MVC the new WebForms because of Smart Client JS Web Apps?

In the last few years JavaScript, JavaScript frameworks, and the browser have matured exponentially providing us with AngularJS, React, Aurelia, Ember, and others. These frameworks allow for web developers to create performant and rich smart client JavaScript web applications (a.k.a SPAs). So what about ASP.NET and that old trustworthy MVC implementation? As an analogy, is MVC the new 'WebForms' as to how WebForms were viewed when MVC came to the scene? Is ASP.NET MVC obsolete or considered now 'old hat' from an implementation perspective? I think it is mostly 'yes' and just a bit of 'no' to that question and I'll provide points to both.

The bold answer is yes - MVC is a relic of days past and anyone that uses it has their head in the sand. Well maybe not quite and certainly not near being obsolete. However there is some merit to the fact that ASP.NET MVC is showing it's age as an implementation choice. There are many things that JS web applications do very well and architecturally speaking just make sense. 

To begin, the JS Frameworks by nature move the heavy rendering and presentation logic to the client. This removes the burden on the server of packaging both markup and data to send to the client. The server's main responsibility is now returning only data typically in the way of JSON payloads via RESTful services (i.e. NodeJS, WebAPI), as well as the web artifacts on an as needed basis (i.e. views, images, JS, etc.). With most frameworks, once the views and associated JS is brought to the client it is cached. The combination of client side processing + caching of data and website artifacts = highly performant web applications.

The 1st time most developers get accustomed to a JS Framework creating a web application, and experience how the line between desktop applications and web application almost is non-existent they often see the many benefits and don't look back.

Add atop of all this, most JS Frameworks were built with testing in mind, have massive adoption, huge amounts of support, examples, and training which adds up to something one can feel confident moving forward with as an implementation choice.

Another advantage of smart client JS Web Applications is the fact that they make sense architecturally. MVC by nature is and should be a presentation layer architecture. In ASP.NET MVC, I still see often the architecture abused and used as the full-blown implementation for Enterprise Applications. I don't blame most for doing this as the majority of  '101' examples show this implementation so it must be what is used for everything, right? Wrong. It's analogous for those of you that have used Angular 1.x and having the controller make $http calls directly, or abusing $scope as the do-all for the app. 

A tattle-tale sign of using MVC incorrectly is if the 'Model' is directly making database calls (i.e. EF or whatever) and then having the Controller make calls to methods on the Model. This then results in bloating either the model or controller (or both) with additional business logic or model hydration/shaping. MVC should be the top layer of the cake and only concerned with presentation layer logic and manipulation. JS Frameworks for the most part solve this problem naturally because of the separation now between the client and server. It's more difficult and many times not even possible to abuse the JS Web App client implementation that was done so often in ASP.NET MVC. Now one is forced to call the server for data, and then on the server another layered implementation can exist within the RESTful service to handle logic, rules, additional underlying calls, hydration/shaping, etc.. With a JS Web App we should relegate the MV* implementation client side to only presentation layer concerns, and allow the server to do what it does best and offer up reusable RESTful endpoints, encapsulating all server logic. With MVC this was absolutely possible, however it was typically a conscious decision and had to be made usually at the project's onset in order to have decent SoC and testability. Otherwise the result would be behemoth of a web application stuffed into the slim MVC implementation. 

From a JavaScript perspective my experience as a whole in MVC usually yielded to a jQuery implementation for DOM manipulation and a multi-thousand line file named MyApp.js. At 1st this file seems like a good idea, but then it snowballs into a intermingled mess of reactionary code responding to events, registering callbacks, making AJAX calls, manipulating views, and a hundred other things all interwoven together. Most of the time I saw no forethought put into proper segregation using known JS patterns like the module or revealing module pattern, and mostly a mess of public values and methods that were a ticking time bomb of heavy maintenance. In JS Framework implementations, there is a separation of concerns between the Model and View logic allowing testing and scaling your application more correctly. The alleviates the need for JS DOM manipulation libraries like jQuery all together.

Let's pile on another thing helping out JS Web apps in the way of languages like TypeScript.
This gem which was originally created at Microsoft by the same guy that created C# and is OSS, is a superset of JavaScript and adds on a slew of features to help developers wrangle some of the JavaScript nuances. There isn't anyone here claiming JavaScript is a perfect language, but I'll tell you from 1st hand experience using TypeScript makes creating JS Web apps in my experience a whole lot easier. Static typing, build time checking of code, Interfaces and other language features that don't exist in JS, staying ahead of the ECMAScript standards and releases, OO familiarity, and many other goodies help make TypeScript a real joy to have in the toolbox when creating JS Web Apps.

So now let's look at the flip side of the coin: ASP.NET MVC's advantages. Well to begin Microsoft is doing ASP.NET in general a whole world of good in the way of .NET Core 1.0. From a project's physical structure and implantation, the new world of the web in VS.NET is brought inline with where the rest of the web and OSS community has already been in the last several years. This is to the tune of task runners like Gulp or Grunt, additional package managers in the way of NPM and Bower, .json configuration for many different project components or languages like TypeScript, and several other new changes. 

The irony is from WebForms to MVC we moved from a 'Convention over Configuration' phase. Now we are shifting back to 'Configuration over Convention'. However this is in a very good way. Instead of getting many tools, resources, and processes being dictated and packaged up by default, you need to tell your web app exactly what you want and how you want it to behave from start to finish. This is a good thing. We as developers should have full control over our applications and dictate this configuration. At first this might cause some heartburn as change sometimes does, but it's the right move and I applaud Microsoft. For so long I used to promote how much I liked living inside the comfortable confines of ASP.NET and VS.NET. This magic thing like 'bundling and minification' was done for me along with many other tasks to get up and running. There is a little more work now as this doesn't even exist anymore in .NET Core 1.0, but I can control and configure my apps to be lean and behave as I want them to.

So wait, what about the good bits of MVC?? The above was like a back-handed compliment about MVC finally catching up to more standard methods of configuring web applications. However there are a couple of big things MVC still has going for it.

1st it's quite mature. ASP.NET has been around since 2001 and the MVC implementation since 07`. That's almost 10 years going strong. In addition Microsoft is behind it and is now OSS. It's not going anywhere, anytime soon. If your looking for that rock of stability and being conservative MVC is a good choice. Keep in mind though, ASP.NET WebForms is stable and around too, but that doesn't mean it's the best decision.

2nd, because of it's maturity there are a slew of developers that have experience with using it and developing application for it. There are just some realities that exist. Things like deadlines and financial constraints are legitimate concerns. As the lead, architect, decision maker, etc. on your team you might have 10 developers that are strong in MVC and have relatively no experience with a JS Framework and JavaScript in general with a deadline fast approaching. Do you bite the bullet and try your hand at creating a JS Web App, or go with old trusty and bang it out in MVC? That's a decision you'll need to make and one I've encountered as well.

To sum things up, I do believe JS Web Apps are here and probably the best decision for net new web apps today. I personally view MVC as a bit of a heavy weight in the web ring and sometimes we need something a bit more lean to fight our development battle. I agree for the most part MVC is beginning to be viewed as the new 'WebForms' as far as making an analogy to how WebForms were viewed when MVC came to the scene. However as I've broken it down, ASP.NET MVC isn't going anywhere and is still a fine choice to make in certain scenarios. 

Who knows, maybe I'll be writing this same article in 5 years with the following title:

"Are JS Web Apps the new MVC because of WebAssembly?"

Saturday, May 7, 2016

Chutzpah and non-ES5 JavaScript for Unit Testing is Problematic

I've been working with Chutzpah for VS.NET as a test runner for my Jasmine JavaScript unit tests and ran into some issues that had me essentially stuck and running out of debugging options. I mined Matthew Manela's samples, GitHub repo, articles, log tracing, settings files, simple test harnesses, and many other trial and error event before finally determining the root cause of my headaches.

No matter how simple it seemed of a test harness I used in JavaScript to test using Chutzpah, I kept getting errors like the following: 
Can't find variable: myVariable in file xyz....
Normally this is an indication that the referenced JavaScript file is not properly referenced and the test cannot use it. Therefore the test fails and complains that a variable can't be resolved because ultimately the file is not referenced or not referenced properly. Or so it appears on the surface.

This is the red herring...

This led me on a path of vigorous path tracing, trying different path notation for referencing, using chutzpah.json files, running from the command line, debugging, refactoring, and on and on. No matter what I'd do I couldn't apparently get the file referenced for the unit test to run.

Naturally what makes this all worse was that if I open my JS tests in the browser using the default Jasmine Test Runner, they of course pass. So I know it's only a problem with Chutzpah running my tests.

I do the most basic of tests:


This passes. So at least I know VS.NET and Chutzpah can actually work together. 

Here is the crux of it and I'm not sure why it dawned on me but I decided to investigate my JS code. I had begun to sprinkle in some ES6 syntax that by now was compatible in most current browsers. Things like 'class' or 'for...of' loops. The problem is Chutzpah uses the PhantomJS headless browser to run the unit tests. It is based off the WebKit layout engine, so its about like running tests in Safari.

However I was completely wrong in this assumption. From the following (albeit an older package the reference still holds for this topic): 
"Most versions of PhantomJS do not support ES5, let alone ES6. This meant that you got all sorts of errors when you tried to test ES6 features, even if you had used the Babel/6to5 transpiler."
PhantomJS today appears strictly ES5 compliant and even a single line of ES6 syntax in your JS file will cause the referenced file not to be processed and thus serving up the error that it cannot be found. It can't be found because it can't be understood by PhantomJS. Hence the red herring about not being able to understand a variable being referenced in my test because the JS class could not be used.

I had one particular JS class I thought was 100% ES5 and this made the debugging even worse. The way I finally sniffed out some ES6 syntax was to drop it in a TypeScript file and target it to transpile to ES5 JS. When I compared the files side-by-side sure enough I found some ES6 syntax in my JS files. Once I ported the ES5 compliant JS over, Chutzpah and PhantomJS both worked perfectly and my tests passed within VS.NET.

I think the lessons learned here are the following:
  • PhantomJS which Chutzpah uses to run unit tests requires ES5 only JS, so make sure all of your JS is ES5 transpiled (Babel, TypeScript, etc.) and target these source files for the unit tests
  • If able to write and target ES6 features and browsers and not wanting to transpile to ES5 compliant JS, consider using a different JS Test Runner than Chutzpah.

Wednesday, April 27, 2016

NuGet Package Source Blank After VS.NET Update

I recently updated VS.NET 2015 to Update 2 which was just released, but hit a snag with NuGet. Upon opening VS.NET and trying to download NuGet packages, I kept getting errors that the package didn't exist. I noticed the "Package source" dropdown was blank and had no selectable values. Even if I went to the VS.NET options for NuGet, I could no longer see the default package source configured. Something must of went awry during the VS.NET update.

Thanks to a nudge from this Connect report, the recommendation was to update the NuGet package manager from the 'Extension and Updates' menu. Sure enough there was an update, and after installing and restarting VS.NET, the "Package source' values were once again populated with and I could download packages.

Tuesday, March 29, 2016

I'll be Speaking at VSLive! Austin - Discount Code to Attend

I’ll be speaking at Visual Studio Live!, May 16-19 in Austin. Surrounded by your fellow industry professionals, Visual Studio Live! provides you with immediately usable training and education that will keep you relevant in the workforce.

I’ll be presenting the following sessions:
SPECIAL OFFER: As a speaker, I can extend $400 savings on the 4-day package. Use offer code AUSPK08 or register using the link here:

Amplify your knowledge at Visual Studio Live! Austin — bring the issues that keep you up at night and prepare to leave this event with the answers, guidance and training you need.  Register now:

Friday, March 4, 2016

Why is the tsconfig.json file not copying my TypeScript files to wwwroot?

If you've been looking into ASP.NET 5 (eventually .NET Core 1.0) and working with TypeScript you'll notice things are very different than when using older versions of ASP.NET. Specifically the need to configure your TyoeScript virtual project using a tsconfig.json file.

Within the file you'll need to add a line such as the following to indicate where the transpiled .js files will be copied in wwwroot:

"outDir": "../wwwroot/appScripts",

The source directory has a documented convention though (at least at the time of this entry) that could be easily overlooked. I found the information on this GitHub thread. The tsconfig.json file will only check for TypeScript files in the scripts folder. Therefore you must have your tsconfig.json file within the /scripts folder in order for the outdir value and ultimately copying of files to work.

Fixing a npm Package That Will Not Reinstall

Recently when working on an Angular 2 app in VS.NET 2015 using an ASP.NET 5 template I began to see build errors that Angular 2 was missing. 

I was having trouble getting Angular to reinstall no matter which version I selected in my package.json file. It didn't matter if I deleted the local files or npm cache as nothing would work.

Upon inspecting the output I noticed the following errors:

npm ERR! error rolling back  errno: 10,
npm ERR! error rolling back  code: 'EBUSY',

Upon further research and some nudging from the problem on this GitHub link, it appeared a file was locked. The answer -> reboot the Windows machine. This does appear to be a Windows issue with file locking of some file(s) within the npm package and causing the error.

Upon reboot, I right-clicked 'Dependencies' and selected, 'Restore Packages.' Sure enough the Angular 2 npm package reinstalled successfully. Previously the angular2 folder existed but there was nothing inside of it. If you ever have any issues getting a npm package to install, always make sure to read the output in the VS.NET console to shed light on any issues.