Hangfire dashboard authorization filter using basic authentication and relying on browser support to allow user to input username and password.

HFDashboardAuthFilter.cs

using System;
using System.Collections.Generic;
using System.Linq;
using System.Threading.Tasks;
using Hangfire.Annotations;
using Hangfire.Dashboard;
using Microsoft.AspNetCore.Http;

namespace MyApp.ScheduledTask
{
    public class HFDashboardAuthFilter : Hangfire.Dashboard.IDashboardAuthorizationFilter
    {
        public bool Authorize([NotNull] DashboardContext context)
        {
            var httpContext = context.GetHttpContext();

            var header = httpContext.Request.Headers["Authorization"];

            if (string.IsNullOrWhiteSpace(header))
            {
                SetChallengeResponse(httpContext);
                return false;
            }

            var authValues = System.Net.Http.Headers.AuthenticationHeaderValue.Parse(header);

            if (!"Basic".Equals(authValues.Scheme, StringComparison.InvariantCultureIgnoreCase))
            {
                SetChallengeResponse(httpContext);
                return false;
            }

            var parameter = System.Text.Encoding.UTF8.GetString(Convert.FromBase64String(authValues.Parameter));
            var parts = parameter.Split(':');

            if (parts.Length < 2)
            {
                SetChallengeResponse(httpContext);
                return false;
            }

            var username = parts[0];
            var password = parts[1];

            if (string.IsNullOrWhiteSpace(username) || string.IsNullOrWhiteSpace(password))
            {
                SetChallengeResponse(httpContext);
                return false;
            }

            if (username == "johndoe" && password == "123")
            {
                return true;
            }

            SetChallengeResponse(httpContext);
            return false;
        }

        private void SetChallengeResponse(HttpContext httpContext)
        {
            httpContext.Response.StatusCode = 401;
            httpContext.Response.Headers.Append("WWW-Authenticate", "Basic realm=\"Hangfire Dashboard\"");
            httpContext.Response.WriteAsync("Authentication is required.");
        }

    }
}

This gist uses HTTP basic authentication, so the way to log out is the same as other HTTP basic authentication, for example https://stackoverflow.com/questions/233507/how-to-log-out-user-from-web-site-using-basic-authentication

I haven't tried to log out though.

You are right: Basic Authentication wasn't designed to manage logging out. I will have to figure out something else. Thank you. *Beste Grüße/Best regards/Lep pozdrav,* *Matjaž Bravc* Senior Software Engineer at pmOne <http://www.pmone.com/> | +386 41 903 563 V V pon., 15. jul. 2019 ob 11:33 je oseba Endy Tjahjono < [email protected]> napisala:

…

This gist uses HTTP basic authentication, so the way to log out is the same as other HTTP basic authentication, for example https://stackoverflow.com/questions/233507/how-to-log-out-user-from-web-site-using-basic-authentication I haven't tried to log out though. — You are receiving this because you commented. Reply to this email directly, view it on GitHub <https://gist.github.com/a1cc8e2515e5e0d941a884fc6a6267f5?email_source=notifications&email_token=AJJUVC74QZGQCGPTVSP2QHLP7Q77RA5CNFSM4HJXXBW2YY3PNVWWK3TUL52HS4DFVNDWS43UINXW23LFNZ2KUY3PNVWWK3TUL5UWJTQAFVJ54#gistcomment-2970590>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AJJUVC7ICQIANBTSG4F7TEDP7Q77RANCNFSM4HJXXBWQ> .

Does this Class get triggered when accessing /hangfire ?
And will the same idea work with .Net Framework ?

Esse código funciona rodando local, ao publicar em produção, fica em loop a solicitação de login e senha. Alguém sabe porque?

Nice work!

Recent viewers:

Now finally we have an official implementation... Hangfire.Dashboard.Authorization.Basic.

Wow man, this is amazing. I was struggling to find a good solution for API type projects. I had an idea with query strings, but then hangfire does not allow them. This solution is perfect, I honestly did not know you can trigger built in browser login popup!