Blazor Server: How security should be handled?
Based on this article from Microsoft:
With the Blazor Server hosting model, the app is executed on the server from within an ASP.NET Core app. UI updates, event handling, and JavaScript calls are handled over a SignalR connection.
In case of client side rendering (Blazor WebAssembly) or various javascript frameworks (such as Angualr, Vue, ...), the separation between what should reside in client side and what should not (in terms of security) is rather obvious; All the functionality should be handled via an API (REST for example) but I am not sure what is the case for Blazor Server model.
Is it safe to put such a code in a razor page (a user profile page for example, in Blazor Server hosting model):
<input type="text" @bind="@user" />
<input type="text" @bind="@password" />
<button class="btn btn-primary" @onclick="ChangePassword">Save</button>
@code {
private string user { get; set; } = "";
private string password { get; set; } = "";
private void ChangePassword()
{
//DBConnection is the connection to a sample sqlite database
string statement = $"UPDATE users SET password = {password} WHERE user = {user};";
using var command = new SQLiteCommand(statement, DBConnection);
command.ExecuteNonQuery();
}
}
Can user (client side) abuse the code above?
Update: I'm aware of SQL INJECTION vulnerability here and that's intentional (in real world scenarios I would definitely parameterize my inputs). I meant that for example can user do an SQL injection attack even when the code is this vulnerable? If yes, how?
Can user (client side) abuse the code above?
Not unless they compromise the server. All the code in your component runs in the Hub Session on the server. The SignalR traffic is DOM updates to the browser and JS to C# JSInterop calls from the Browser to the Server.
On the other hand treat all Web Assembly code in the application as public domain. Your security is on your API.