Base solution for your next web application
Open Closed

ControllerBase: How to set UserId, Parameter and ReturnValue for audit logging #12283

User avatar
0
ips-ad created

Hi,

We're using controllers of the ControllerBase class for callback handling from external servers (like document editors returning modified documents), the controller then updates our row.

Like so:

public class DocController : ProjectControllerBase
{
    private readonly IDocRepository _docRepository;
    public DocController(IDocRepository docRepository)
    {
        _docRepository = docRepository;
    }
    
    [Authorize(AuthenticationSchemes = "EditorBearerToken")]
    [HttpPost]
    [RequestSizeLimit(100_000_000)]
    public async Task<ActionResult> EditorCallbackHandler()
    {
        // check stuff, get our row etc. ...
        await _docRepository.UpdateAsync(doc);
        return ...;
    }
}

We don't even know the TenantId from the incoming callback, but that's no problem as the callback contains our row Id in the metadata, so we can find the row to update.

An audig log entry is being generated automatically, it contains the TenantId (not sure from where, probably from the docRepository row?) and null as UserId, also Parameter and ReturnValue are empty/null.

The question now is: How can we populate UserId, Parameter and ReturnValue for the audit log? We have these infos from the callback metadata, just need a way to inject them (similar to Unit of Work, but additionally with user context).

Thank you!

Go to accepted answer
2 Answer(s)
  • User Avatar
    0
    ismcagdas created
    Support Team

    Hi @ips-ad

    Sorry for our late reply. Could you explain the use case a bit more ? Is this flow triggered by a user on AspNet Zero app or does it happen via background jobs or something else ?

  • User Avatar
    0
    ips-ad created

    Hi @ismcagdas

    Thanks for your reply. It's a callback from a document server returning e.g. an updated docx to our Zero backend. The document server authorizes via token, we've added in AuthConfigurer.cs:

    if (bool.Parse(configuration["Documentserver:IsEnabled"]))
{
    var securityKey = new SymmetricSecurityKey(System.Text.Encoding.UTF8.GetBytes(configuration["Documentserver:CallBackSecret"]));
    authenticationBuilder.AddJwtBearer("EditorBearerToken",
        options =>
        {
            options.TokenValidationParameters = new TokenValidationParameters()
            {
                ValidateAudience = false,
                ValidateActor = false,
                ValidateIssuer = false,
                ValidateIssuerSigningKey = true,
                ValidateLifetime = false,
                IssuerSigningKey = securityKey
            };
            options.RequireHttpsMetadata = false;
            options.SaveToken = true;

            options.SecurityTokenValidators.Clear();
            options.SecurityTokenValidators.Add(new JwtSecurityTokenHandler());
        });
}

    It's the only way this document server is currently able to authenticate, we don't have direct tenant and user context.

    We know it from the content though, because it's referring to existing rows in our database, so we can derive tenantId and userId from there.

    What we want to achieve is:

    • Flag entity history with correct tenantId and userId (-> we just solved this with IAbpSession using (_session.Use(tenantId, userId)) { ... })
    • Flag AbpAuditLog from the callback (see public async Task EditorCallbackHandler(){ ... } from above) with tenantId and userId. This is still open and we don't know how to achieve it, currently those logs are being created, but with tenantId and userId null.

    Thanks again for your support!

Assignee
No one
Labels
None yet