I want to make a static generated site using Gatsby. This is all fine, but I want to have authentication and authorization in place, as this is an internal site - it should only be accessed by people in my company. I thought about this, and without some server component, it's impossible (?) to securely authenticate users without some kind of backend. I thought I could use ASP.NET Core to serve static files and have Google (for Work) authentication and authorization in front of these static files.
It seems like the StaticFileHandler doesn't support authorization by design, as it is only responsible for serving static files which are publicly accessible. I managed to get Google authentication working by using the Authorize attribute on my root action (which listens to '/'), and having login actions which issued a Challenge and the user would be redirected to Google for authentication. Further reading in the documentation for handling static files says:
The static file module provides no authorization checks. Any files served by it, including those under wwwroot are publicly available. To serve files based on authorization:
- Store them outside of wwwroot and any directory accessible to the static file middleware and
- Serve them through a controller action, returning a FileResult where authorization is applied
So now I have an Index action on my HomeController which looks like this:
[Authorize]
public IActionResult Index()
{
// TODO: Return static files based on incoming requested path.
return View();
}
I'm not very happy with this solution. Should I make the whole thing work with middleware instead of using MVC? Is this even the right way to do this? Are there any better ways of doing this?
