Dangers of using IHttpContextAccessor

00:00

welcome to the rocking YouTube channel

00:01

my name is Anton and today we're going

00:03

to be talking about the IH HTTP context

00:05

accessor what kind of problems you can

00:08

run into it how to avoid these problems

00:10

we're going to be taking a look at some

00:11

under the hood stuff of how does it work

00:14

how does the HTTP context appear in

00:16

there Etc basically trying to become

00:19

better Engineers with better awareness

00:21

of the tools that we are using don't

00:23

forget if you're enjoying the video

00:24

leave a like subscribe make sure to

00:26

check out the description I have a c

00:28

course out if you want to know c as I do

00:31

it I highly recommend you go ahead and

00:33

check it out with that let's go ahead

00:34

and get started here we have the sample

00:36

application with a couple of files

00:38

nothing too extreme we have the program

00:40

CS file and mainly we have three

00:44

endpoints and this root endpoint is to

00:47

outline the current user that is signed

00:49

in the user that is signed in I am

00:52

mocking an authentication schema with

00:54

this always authenticated authentication

00:57

Handler if you don't understand about

00:59

Authentication you're in luck I have

01:01

quite a few episodes on it go ahead and

01:04

check out the description basically all

01:06

this means is that we're always going to

01:09

be signed in as this user you don't need

01:11

to call login or anything like that

01:14

amongst other services we're adding the

01:17

ad HTTP context accessor and then we're

01:20

registering a Singleton service some

01:22

kind of business logic and then a

01:25

background notification service which is

01:27

going to be a hosted service so it's

01:30

something that is running in the

01:31

background if I open up the terminal the

01:33

application is already running and if we

01:36

just take a look at the roots we have

01:38

this test user with the test email

01:41

coming back to the code we're going to

01:43

take a look at the first endpoint and

01:45

this a service which is registered as a

01:47

Singleton and it has a function that is

01:49

something slowly sync now this example

01:52

is copied from this Outline by David fer

01:55

which explains why this service is bad

01:59

but I don't think this example actually

02:00

illustrates the point of how you can run

02:03

in into this issue blindly so that's

02:06

what we're going to be learning about

02:07

today nevertheless first of all let's

02:10

observe the issue this function is going

02:12

to be a fire and forget task which we're

02:15

going to wait for a little bit and then

02:17

we're going to try to access the HTTP

02:19

context and we access it by hitting the

02:22

dummy end point and we kick off a task

02:24

here coming back over here let's go

02:26

ahead and kick off dummy we we have okay

02:30

we come back if we take a look at the

02:32

console nothing is being printed it is

02:34

failing silently we don't actually see

02:37

anything if we open this up and I will

02:40

uncomment this and I will actually

02:42

output something to the logger so we can

02:44

actually see this failing the

02:46

application will restart I'll come back

02:48

over here I'll refresh and then coming

02:51

back over here we see the explosion

02:54

happening the reason the explosion is

02:56

happening is the HTTP context inside the

03:00

HTTP context accessor is null and that

03:02

is the exception that we're getting here

03:04

the reason it is null is because the

03:07

HTTP context represents the HTTP context

03:11

I don't know how else to say it other

03:14

than when the request starts that's when

03:17

the HTTP context is created and when the

03:19

request ends that's when the HTTP

03:22

context is disposed of we we'll take a

03:24

look at the code where that actually

03:27

happens before we do the Deep diving

03:29

we're going to take a look at some code

03:31

that you might write in the future that

03:33

will essentially make you encounter this

03:36

issue so here is some kind of service it

03:39

is a class with a function some Services

03:42

get injected into here and what we're

03:44

trying to do is do something with the

03:46

user at this point we're notifying the

03:49

user but it can be literally anything

03:52

the point is you're trying to access the

03:54

user the user exists on the HTTP context

03:57

in the MVC world the claims principle

04:01

wasn't actually injectable so the only

04:04

way that you can get the user is through

04:06

the HTTP context so you would have your

04:09

business logic rely on the ihtp context

04:12

accessor and you would attempt to do

04:15

something like this if we come back to

04:17

program CS we will have the notify

04:19

service over here we have the business

04:21

logic and we notify the user now because

04:24

we're awaiting over here everything is

04:26

going to run smoothly and that is

04:29

basically the experience that you would

04:31

have so let's open up the terminal stuff

04:33

is going to get restarted let's go ahead

04:36

and notify everything is going to be

04:39

okay and notification is successful some

04:42

time is going to pass and what you

04:44

actually want to have is a background

04:47

service that is going to pull the

04:49

database check some State and then if

04:51

that states meet some kind of rules it

04:54

is going to try to notify the user so

04:56

you set up your background service you

04:57

register it as a hosted service and then

05:00

as you're getting a signal to notify the

05:02

user again this can be a query to the

05:04

database in the loop all I'm doing here

05:07

is passing a message down a channel I'm

05:09

then creating a scope and then I'm

05:11

retrieving the business logic because

05:13

that logic of notifying a user I want

05:16

that to be reusable and then I notify

05:18

the user if I go to program CS we have

05:21

the background notification service over

05:22

here and I write test into the

05:24

background notification service so

05:26

that's going to go into this channel

05:27

writer over here and then this channel

05:30

reader is going to pick up the message

05:32

okay so that's basically how it's going

05:33

to go into here with this example it's a

05:37

little bit more of a realistic example

05:40

of what is being highlighted over here

05:42

you start off with logic that was

05:44

running during an HTTP request and then

05:47

you want to execute that same logic

05:49

outside of an HTTP request and that is

05:53

how you essentially encounter this issue

05:55

so

05:56

notify DBS if I open up well we'll see

06:00

that we again encounter the N reference

06:02

exception on the IH HTTP context

06:04

accessor at this point if you're still

06:06

listening the audience is pretty much

06:08

split into two parts the first one that

06:11

has been taught the lesson or has

06:13

encountered this issue and learned the

06:15

lesson or the second part that is maybe

06:18

a little bit blind first time you hear

06:19

about this ihtp context accessor what do

06:22

you need to understand to not encounter

06:24

this issue and similar issues there will

06:27

be three things first is the concept of

06:29

the HTTP server and that is the asp.net

06:32

core application that you're programming

06:34

second is the business logic this

06:36

business logic should be able to exist

06:39

outside of the asp.net core server

06:42

generally what happens is you take the

06:43

business logic and you register it with

06:45

the dependency injection container and

06:48

then that business logic will get

06:50

injected into your MVC controllers or

06:53

endpoints and at that point everything

06:55

seems to be fused together you need to

06:58

understand that your business logic that

07:00

is even though it is injected through

07:02

the dependency injection controller

07:04

should not rely on services that are

07:08

built for the asp.net core framework the

07:11

ihtp context accessor is an example of a

07:13

service which is used for the asp.net

07:16

core framework to do HTTP web server

07:19

things as you receive the request it's

07:21

going to go through the middleware

07:22

pipeline and at that point you need to

07:24

extract all the information that you can

07:26

get you're essentially preparing the

07:28

scene and then you're injecting it all

07:30

into the business logic and you're

07:32

setting up your business logic to then

07:34

execute so you still have your web

07:36

server you still have your business

07:37

logic controllers and endpoints is that

07:41

place where you transfer from the web

07:43

server world into your business logic

07:46

World As Long as You Follow that rule

07:48

you will never encounter an issue like

07:50

this where you will spot uh this belongs

07:53

to the web server because there is some

07:55

awareness of HTTP RPC websockets

07:59

whatever other web service notion there

08:02

might be you want to take that out let's

08:05

come back to the code and actually

08:08

inspect what is the IH HTTP context

08:11

accessor and how is it set so first of

08:14

all let's unpackage add HTTP context

08:17

accessor and here we will see the HTTP

08:19

context accessor being registered and

08:22

it's actually registered as a Singleton

08:24

service so even though it exists only

08:27

for the scope of the HT CTP request it

08:31

itself is not a sculpt service the thing

08:35

that actually gives the ihtp context

08:39

accessor its scopen is this async local

08:43

which is a pretty loaded concept and in

08:46

order to understand how it actually

08:48

works under the hood deserves a video of

08:51

its own looking at this all you need to

08:53

understand is asyn local is the thing

08:56

that will make the HTTP context holder

08:59

the thing that holds the HTTP context

09:02

for this specific request that is being

09:04

made to the server because that request

09:06

will be executed in an async task async

09:10

local is the thing which is going to

09:12

scope this HTTP context to the task or

09:15

to the async context which is going to

09:17

be processing the request with that

09:20

let's back out back into program Cs and

09:23

we're going to understand at which point

09:25

the HTTP context is actually placed into

09:28

the I HTTP context accessor what I'm

09:31

about to do here you can get more

09:32

information from the castol video I did

09:34

where we try to understand if it's worth

09:37

building our own web framework on top of

09:39

cro similar to asp.net core the answer

09:42

to which is no but nevertheless we learn

09:44

things about Castrol and how to interact

09:46

with krol here I'm just going to show

09:48

you how to walk down to Castrol from

09:51

your esp. net core application let's go

09:54

ahead and decompile run and here we'll

09:56

have this hosting abstractions host

09:58

extensions run and here again down to

10:01

run a Sync here is where the web server

10:05

Starts Here It basically just waits for

10:07

the web server to shut down so until you

10:09

actually shut down the server the

10:11

execution is going to be paused here

10:14

we're going to go into start a sync and

10:16

this is on the interface so we want to

10:18

go to the implementation of the host

10:20

class in here we will go through

10:22

execution up until we reach a loop where

10:25

we have a bunch of hosted Services if we

10:28

come back to program CS where I register

10:30

the background notification service

10:32

which is a background service which is

10:34

still a hosted service the krol server

10:37

is a background service which is running

10:40

in the background and servicing your

10:41

requests coming back to the host we have

10:44

the hosted Services over here and start

10:47

async is being called specifically the

10:50

castral web server is a generic web host

10:53

server and here again we will scroll

10:55

down up until we have this application

10:58

which is essenti

10:59

the request delegate if you know what

11:01

the request delegate your web server

11:04

your asp.net core app is essentially

11:06

just a configured middleware pipeline

11:09

which will get passed down into this

11:11

hosting application the stard a sync

11:13

over here is called on the server so I

11:16

server or implementations for I server

11:19

will be the Cal server and Cal server

11:21

internal implementation and then you can

11:23

also have an is HTTP server okay we are

11:27

particularly interested or not so

11:29

interested in the actual classes but

11:33

rather the thing that is passed down to

11:36

the castol server so coming back over

11:38

here we have stard a sync and HTTP

11:40

application is being passed down into it

11:42

we're going to go into host application

11:45

and down here we will first have create

11:48

context we will then have process

11:51

request async and then dispose of

11:53

context to summarize these three

11:55

functions the create context is when you

11:59

are receiving the request so you doing

12:01

some setup you're then processing the

12:04

request and that's going to be the

12:06

underscore application which is again

12:08

just your middleware pipeline and then

12:10

you have the dispose context which is

12:12

basically going to tear everything down

12:15

in these contexts what is being used is

12:18

a default HTTP context which is a

12:20

service which is registered at the point

12:23

of this create Builder so when you

12:26

initially set up your Builder this

12:29

service already exists internally and

12:31

I've gone to bad Services over here but

12:33

I want to be over here okay and sorry I

12:35

wasn't talking about the default HTTP

12:37

context is the default HTTP context

12:39

Factory this is a service which exists

12:42

from the beginning over here when you

12:44

call create Builder Okay the default

12:47

HTTP context Factory if we take a look

12:49

at the create function that is going to

12:52

be inside the default HTTP context

12:54

factoring so just this class when we

12:57

create the HTTP cont context so the

12:59

default HTTP context over here it goes

13:02

through an initialization process the

13:05

default HTTP context Factory because it

13:07

comes from the same dependency injection

13:09

container where you're registering your

13:11

services it is attempting to extract an

13:14

HTTP context accessor from that same

13:17

container and you can see that this HTTP

13:19

context accessor if you never call add

13:22

HTTP context accessor it is actually

13:24

going to be null so this logic has to

13:26

account for that fact if the service is

13:29

present this is actually just going to

13:31

go ahead and set the HTTP context on the

13:34

HTTP context accessor okay so this

13:37

answers the question of when does the

13:40

HTTP context actually gets placed into

13:43

the HTTP context accessor and how long

13:46

does it actually exist there if we again

13:49

come back to the host application during

13:52

the setup of the request the ihtp

13:56

context accessor service actually gets

13:59

prepared and loaded with the created

14:01

HTTP context over here you then place

14:05

the HTTP context into the middleware

14:08

pipeline so it gets processed and after

14:11

which if we have the HTTP context

14:13

accessor we clear it from the context

14:15

and the dispose on the HTTP context

14:18

Factory this is where it's actually

14:20

going to clear it away from the HTTP

14:23

context accessor itself now I've

14:25

probably said HTTP context accessor like

14:27

a gazillion times but all you need to

14:29

know is that HTTP context accessor is

14:32

set up and the HTTP context inside the

14:35

HTTP context accessor gets wiped out

14:38

before and after the HTTP context

14:40

actually gets sent into your middleware

14:43

with that I think it's a good time to

14:44

end the video remember even though your

14:46

business logic sits inside the web

14:49

server you want to program it as if it

14:51

doesn't know anything about the web

14:52

server this way you're never going to

14:54

encounter a problem like relying on the

14:57

ihtp context access to get a user or

15:00

some kind of other state from the HTTP

15:02

request make sure all of that

15:04

information is extracted before or at

15:08

the point of you entering your endpoint

15:10

or action or Handler on the controller

15:13

razor page whatever it is that endpoint

15:16

action or Handler is the transition from

15:19

the HTTP server world into your business

15:22

logic as always if you enjoyed the video

15:23

don't forget to leave a like subscribe

15:25

if you have any questions make sure to

15:27

leave them in the comment section go

15:28

join my Discord server and if you want

15:30

the code for this video as well as my

15:32

other videos come support me on Patron I

15:34

will really appreciate it and a very

15:35

very big thank you to all of my current

15:37

patreon supporters you help me make

15:38

these videos don't forget to check out

15:40

my C course again thank you for watching

15:43

have a good day