0

I am new to this whole MVC stuff, so please bear with me.

I am wondering what is the correct way to implement controller logic.

In other words, take this very simple example, a forgot password screen. In traditional ASP/ASP.Net, this could eaisly be handled in one page, hide/show a div or two based on the flow... done!!

I have come up with the following and just wanted to see if I was on the right track. Have a look at the following controller:

Namespace Controllers
    Public Class AuthenticationController
        Inherits ControllerBase

        Private MembershipProvider As New GTGMembershipProvider

        <HttpGet()>
        Function LogOn() As ActionResult
            If (User.Identity.IsAuthenticated) Then
                Return RedirectToAction("Index", "Main")
            End If

            Return View(New LogOnViewModel)

        End Function

        <HttpPost()>
        Function LogOn(Model As LogOnViewModel, ReturnUrl As String) As ActionResult
            If (Not ModelState.IsValid) Then
                Return View(Model)
            End If

            If (Not MembershipProvider.ValidateUser(Model.UserName, Model.Password)) Then
                ModelState.AddModelError("", "Invalid login. Incorrect password/user name.")
                Return View(Model)
            End If

            IssueAuthenticationTicket(Model)

            If (Not ReturnUrl.IsNullOrEmpty) Then
                Return Redirect(ReturnUrl)
            Else
                Return RedirectToAction("Index", "Main")
            End If

        End Function

        Function LogOff() As ActionResult
            FormsAuthentication.SignOut()
            Return RedirectToAction("Index", "Main")

        End Function

        <HttpGet()>
        Function ForgotPassword() As ActionResult
            Return View(New ForgotPasswordViewModel)

        End Function

        <HttpPost()>
        Function ForgotPassword(Model As ForgotPasswordViewModel) As ActionResult
            If (Not ModelState.IsValid) Then
                Return View(Model)
            End If

            Return RedirectToAction("PasswordSent")

        End Function

        <HttpGet()>
        Function PasswordSent() As ActionResult
            Return View()

        End Function

        Private Sub IssueAuthenticationTicket(Model As LogOnViewModel)
            Dim Profile As New CustomerProfile With {.FirstName = "Sam", .ID = 1, .LastName = "Striano"}

            Dim Ticket As New FormsAuthenticationTicket(1, Model.UserName, Now, Now.AddDays(30), Model.RememberLogon, Profile.ToString)
            Dim Cookie As New HttpCookie(FormsAuthentication.FormsCookieName, FormsAuthentication.Encrypt(Ticket))

            HttpContext.Response.Cookies.Add(Cookie)

        End Sub

    End Class
End Namespace
Improve this question
1

2 Answers 2

Reset to default
1

You are on the right track. Three suggestions I have to make your code better are:

  1. Refactor IssueAuthenticationTicket to method on an IAuthenticationService implementation, where IAuthenticationService looks like

    public interface IAuthenticationService{ bool Authenticate(LogOnViewModel viewModel, HttpContextBase httpContext); }

    That way your concerns are separated, so if you have to change the way the session is authenticated, you won't have to changed the controller logic. You could actually even keep your MembershipProvider dependency in the implementation and make the interface look like:

    public interface IAuthenticationService{ bool Authenticate(LogOnViewModel viewModel, HttpContextBase httpContext, out string message); }

  2. Look into Inversion of Control and Dependency Injection to inject your dependencies automatically into the controller via the constructor. My favorite tool for this is StructureMap. This way you don't have to couple the controller to a specific implementation and you don't have to handle any creation logic from within the controller. (The only thing this would affect in your sample would be the call to create a New GTGMembershipProvider. This isn't a big deal here, but with more complicated controllers with more complex dependencies, this could really take up a lot of space and make your code less readable).

  3. You COULD put the logon model validation logic in a ModelValidator. But, this may or may not be a good idea, because it requires multiple instances of the MembershipProvider. If your membership provider is implemented as a singleton then this would make sense.

Sorry about the C# - I figure it's better to write it right in C#, then maybe write it right in VB.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1

I think this is good for being the authentication controller, some people migth suggest to create a level of abstraction and move code to another class, but in this case I don't think is necessary, for other controllers where you do deal with your business objects it will be necessary, the rule of thumb (IMHO) is that the only function the controller actions should perform is to gather the data for the model that will be displayed and passed to the view, how you get that data should be in other classes, but again, in this particular controller, I think this is simple enough to keep it this way

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.