URL encoding # sharp to Durandal SPA

Question

I know it is not necessary to specify a login URL to a Durandal login page. But I wonder how to fix the following problem I'm facing to redirect a Authentication to a specific Durandal Page that has a Sharp sign (i.e. #).

public void ConfigureAuth(IAppBuilder app)
{
     app.UseCookieAuthentication(new CookieAuthenticationOptions
        {
            AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
            //LoginPath = new PathString("/" + HttpUtility.UrlDecode("#") + "/login")
            LoginPath = new PathString("/#/login")
        });
     ...
}

When I paste:

http://localhost/#/login

to a browser URL I can navigate to the login page without any problems. I can login and it is working fine.

Because I'm mixing MVC with SPA in some scenarios, when I add [Authorize] attribute to an MVC controller, then I will be redirected as expected to

http://localhost/%23/login?ReturnUrl=%2Fe

and I get the error:

Server Error in '/' Application.

The resource cannot be found. Description: HTTP 404. The resource you are looking for (or one of its dependencies) could have been removed, had its name changed, or is temporarily unavailable. Please review the following URL and make sure that it is spelled correctly.

Requested URL: /#/login

how to use the # sign instead of %23 char encoding? or maybe I'm messing something else!!!

FYI: My question is related to character encoding not something line this: Login page on different domain because I may face the same problem in other situations in the future.

Answer 1

As far as I know it isn't possible to use a # from the server. A possible solution could be to redirect the user from the shell in durandal.js when the user isn't authenticated.

Answer 2

I don't know if it is too late in the life cycle but you could try to catch the redirect in the global asax file in the Application_EndRequest event and fix the response. I have code like this to change the actionresult to a jsonresult that my js can work with so that when a user attempts to reach an MVC controller resource that I have protected via java script ajax I can handle it properly.

protected void Application_EndRequest()
    {
        var context = new HttpContextWrapper(this.Context);

        // If we're an ajax request and forms authentication caused a 302, 
        // then we actually need to do a 401
        if (FormsAuthentication.IsEnabled && context.Response.StatusCode == 302
            && context.Request.IsAjaxRequest())
        {
            var jsRet = new JSONFunctionResult<Boolean>();

            if (this.Request.IsAuthenticated)
            {
                jsRet.Messages.Add(new JSONFunctionResultMessage()
                {
                    Text = string.Format("You must have one of these roles to perform the operation: {0}", context.Response.Headers["RolesRequired"]),
                    Title = "Security Violation",
                    Type = (int)JSONFunctionResultMessageTypes.authorization
                });
            }
            else
            {
                jsRet.Messages.Add(new JSONFunctionResultMessage()
                {
                    Text = "You must be logged into to access this resource",
                    Title = "Security Violation",
                    Type = (int)JSONFunctionResultMessageTypes.authentication
                });
            }
            jsRet.OperationStatus = JSONFunctionResultOperationStatus.error.ToString();

            string jresponse = JsonConvert.SerializeObject(jsRet);

            context.Response.Clear();
            context.Response.StatusCode = 200;
            context.Response.ContentType = "application/json";
            context.Response.Write(jresponse);
        }
    }

In my code I check for a redirect and if forms auth is enabled and if the user is Authenticated and change the response accordingly. For your code you could maybe change the response to go to your correct login page?