Arcus API security filters and F# Giraffe explained
First things first. What are the Arcus API security filters and what is F# Giraffe?
The Arcus Web API library provides several API authentication and authorization filters to restrict access to certain endpoints in your ASP.NET Core application. At the time of writing it consists of:
- Shared access key authentication
- Certificate authentication
- JSON web token (JWT) authorization
Giraffe is a F# library that is built on top of the ASP.NET Core framework. With the help of the amazing chaining functionality in F#, you can create your application solely with function composition. This post explains how we can integrate our Arcus API security filters which are written in a C# OOP mindset into an ASP.NET Core application written in Giraffe which is a F# FP functional mindset.
Let me first show you where what the start point will be. We’ll start with the barebones of the Giraffe application which has one endpoint and no authentication or authorization.
If this is the first time you’ll see an F# Giraffe application built on top of ASP.NET Core, take some time to wonder at how little code is required.
I’m not going to explain the full workings of Giraffe. In this post, the most important part is this line:
route "/ping" >=> text "pong where we route HTTP requests with the route
"/ping" to the HTTP response with a plain text body of
For more information on the wonders of Giraffe, see this GitHub repository where the workings are explained and additional resources are available. You may want to grasp the basics if you want to continue with this post.
Giraffe already has some authentication function pipelines, but the purpose of this post was to integrate our Arcus authentication filters. Giraffe works with HTTP handlers which are essentially just functions with the HTTP context as input and output. Because of this, the entire application is one big function and everything is ‘middleware’ so to speak. The following code is the key to integrate our Arcus filters into this function architecture.
Look at how we pass along our Arcus filter and transform it into a Giraffe HTTP handler. Normally, in a ‘standard’ ASP.NET Core application, some of the functionality would already be done for us but here we have to do it ourselves. You see that when the filter returns something, we do an ‘early return’ which shortcuts the remaining functions/middleware and responds diretly to the client.
With the authentication middleware in mind, we can easily include the Arcus filters in our application. The filters sometimes takes in an extra arguments so lets make a dedicated function where we do the same.
Now our final piece of the puzzle is finished and we can include our authentication function in our Giraffe application. Note that we are fully in control as of where we want this authentication to happen, just like adding an attribute on a OOP MVC endpoint. Only this time, it’s with regular functions instead of metadata programming.
In this post, we looked at how we can integrate OOP MVC functionality into a FP architecure using the Giraffe library. Concepts that were made with another mindset are still compatible in a functional architecture, with the necessary alterations. I hope you see that this way of approaching also holds for other concepts besides the authentication. It opens up a wide range of possibilities if we can reuse functionality from and to OOP to FP instead of reinvinting the wheel.
Thanks for reading. Stay safe.
Subscribe to our RSS feed