locked
Lightswitch HTML Client 2013 - how to detect an external call from a URL request keyed into a browser address bar RRS feed

  • Question

  • Hi,

        Is there a way to tell that a request to read LS data from an application came from a browser call like http://localhost:51214/DataSource.svc/Entity entered in the address bar or that this request came from a call from within the application (internal request) like from a .lsml screen?

    thanks


    david






    • Edited by iqworks Saturday, December 6, 2014 6:59 PM
    Saturday, December 6, 2014 6:24 PM

Answers

  • Hi David,

    Initially I'd misread that you were referring to a http://localhost:51214/HTMLClient/?entity=DataSource/Entity deep link call (as covered in this MSDN LS Blog).

    Now I understand, I'd suggest adding a Global Application Class to your .Server project and handling the Application_BeginRequest event.  This should allow you to detect a browser http://localhost:51214/DataSource.svc/Entity request by implementing something along the following lines: -

    protected void Application_BeginRequest(object sender, EventArgs e)
    {
        if (Request.UrlReferrer == null && !Request.Url.AbsolutePath.Contains("HTMLClient"))
        {
            Debug.WriteLine("Browser entity request");
        }
    }

    Whilst I've not had cause to try this approach, it may be a solution.

    HTH

    Thursday, December 11, 2014 11:57 PM

All replies

  • Hi David,

    Do you want to detect changes in LightSwitch application? 

    If it is the case, you can try the code below.

    if( this.Details.Screen.DataWorkspace.ApplicationData.Details.HasChanges) {do something ......}

    Hope it helps.

    Regards,

    Angie


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    Monday, December 8, 2014 6:31 AM
  • Hi Angie,

        I don't need to detect changes.

        When a user logs into my application, they can go to another browser session and key in  http://localhost:51214/DataSource.svc/Entity. when they do, I would like to detect that.

    if this .svc request is coming from a browser address bar, I want my application to do one thing.

    if this .svc request is coming from a call that is being made from one of my applications internal lsml.js programs then I want to do another thing.

    thanks


    david

    Monday, December 8, 2014 12:04 PM
  • Hi David,

    It should be as simple as checking window.location.href which can be done in either your screen's created events or in the HTML client's default.htm e.g. :-

    <script type="text/javascript">
        $(document).ready(function () {
            if (window.location.href.indexOf("?entity=") > -1) {
                alert("From a deep link!");
            }
            msls._run()
            .then(null, function failure(error) {
                alert(error);
            });
        });
    </script>

    We do something very similar to detect deep links included on automatic e-mails we're issuing from the LightSwitch save pipeline.

    HTH


    • Edited by ChrisCookDev Wednesday, December 10, 2014 5:34 PM
    Wednesday, December 10, 2014 5:34 PM
  • Hi Chris,

       Unfortunately, entering this "http://localhost:51214/DataSource.svc/Entity" from the browser address bar goes right into the server code. And because it is an external call, it does not go into my LS js. I can see it in things like "Entity_CanRead()".

    Thanks though, I am thinking of another place I might put it.


    david

    Thursday, December 11, 2014 6:07 PM
  • Hi David,

    Initially I'd misread that you were referring to a http://localhost:51214/HTMLClient/?entity=DataSource/Entity deep link call (as covered in this MSDN LS Blog).

    Now I understand, I'd suggest adding a Global Application Class to your .Server project and handling the Application_BeginRequest event.  This should allow you to detect a browser http://localhost:51214/DataSource.svc/Entity request by implementing something along the following lines: -

    protected void Application_BeginRequest(object sender, EventArgs e)
    {
        if (Request.UrlReferrer == null && !Request.Url.AbsolutePath.Contains("HTMLClient"))
        {
            Debug.WriteLine("Browser entity request");
        }
    }

    Whilst I've not had cause to try this approach, it may be a solution.

    HTH

    Thursday, December 11, 2014 11:57 PM
  • Very helpful info Chris. 

    Correct me if I'm wrong, but this catches OData requests typed into the browser address bar by virtue of the fact  that there is no referrer.  So it does answer the question as stated by OP.

    However, it would not differentiate between say HTMLClient Odata request and a 3rd party app OData request. 

    I wonder if there's a custom header specific to HTMLClient request that can be used for this (?) as opposed to relying on url & referrer.


    • Edited by joshbooker Friday, December 12, 2014 3:10 PM
    Friday, December 12, 2014 3:09 PM
  • thanks very much chris. I got the idea!

    david

    Friday, December 12, 2014 7:56 PM
  • David

    If you want to go a step further and prevent requests from reaching the .svc endpoint completely, then have alook at this:

    http://janvanderhaegen.com/2014/12/12/leave-my-endpoints-alone/

    Josh

    Saturday, December 13, 2014 1:07 AM
  • Thanks Josh,

         that was very helpful. Maybe it is something I don't understand,  but ...

    I sent a bug report/suggestion to Microsoft. I simply asked them to put a flag in so we can tell if this request is from an external request, or a request made internally by the application, or, put an option in the properties for the particular entity that says something like “allow request to this entity from other than the application.
      I also asked them  what percentage of LS app developers need to have their data automatically exposed? I have never encountered a situation where data exposure is the rule and not the exception.
    But, I am thinking that LS does this for a reason. even so, they should have a seemless way to protect the data as a default rather than suggest RIA Services, filters, permissions and all that other extra code just to lock down the data..


    david

    Monday, December 15, 2014 10:14 PM
  • Josh,

    also, could the UrlReferrer be an issue? I have read that it could be spoofed to contain the needed information? I don't know, I am not a hacker.
    Also, I read that UrlReferrer can be excluded from the request header. this is no big deal as I can demand that if the base url and "HTTPClient" isn't right then I can simply reject the request.   
    But, I would like to accommodate legitimate users that choose not to include the
    UrlReferrer.

      Most of the answers to my post have included using the
    UrlReferrer.

      


    david

    Monday, December 15, 2014 10:52 PM