Response caching is the technique by which a browser or other client stores a server's response in memory. As a result, requests for the same resources will be processed more quickly in the future. Additionally, this will spare the server from processing and producing the same response over and over again. ASP.NET Core uses the ResponseCache property to set the response caching headers. Moreover, we can use the Response Caching Middleware to control the caching behavior from the server side. Once we've configured clients and other proxies to determine how to cache the server response, they can read the response caching headers. The HTTP 1.1 Response Cache Specification stipulates that browsers, clients, and proxies need to have caching headers.

What Does "caching" Mean?
The process of temporarily storing frequently used data so that it can be rapidly retrieved is known as caching. The application's overall speed will be improved because there won't be as much need to fetch the same data from the database or other storage devices.

ASP.NET Core Caching Types

• Multiple Caching Mechanism Types are Supported by ASP.NET Core. They are listed in the following order.
• In-Memory Caching: The most basic type of caching, in-memory caching works well with a single server. The main memory of the web server houses the data. It is quick and appropriate for data that doesn't require persistence past the web server process' lifetime or require a lot of memory. It works well for storing modest volumes of information.
• Distributed Caching: Applications that must share data across multiple servers in load-balancing or multi-server environments are best suited for distributed caching. It entails keeping data in an external system, like NCache, SQL Server, Redis, and so forth. Although it requires more work than in-memory caching, large-scale applications must use it to guarantee consistency between requests and sessions.
• Response Caching: Response Caching is the process of keeping the result of a request-response cycle in the cache in order to serve the resource from the cache in response to subsequent requests rather than having to generate the response from scratch. This method can greatly enhance the performance of a web application, particularly for resources that are costly to produce and don't change frequently.

HTTP Based Response Caching
Now let's talk about the different HTTP Cache Directives and how to control the way caching behaves. Cache-control is the primary header parameter that we utilize to specify whether or not a response can be cached. The cache-control header should be respected and adhered to by clients, proxy servers, and browsers when it shows up in the response.

Let's now examine the standard cache-control directives.

• public: denotes the ability for a cache to hold the response locally on the client or in a shared location.
• private: denotes that the response may only be stored in a client-side private cache and not in a shared cache.
• no-cache: The no-cache flag instructs a cache not to respond to any requests with a stored response.
• no-store: The no-store flag instructs a cache not to keep the answer.

Browsers and clients understand no-cache and no-store differently, despite the fact that they sound and even behave similarly. We will discuss this in more depth as we go through the instances.

A few more headers, in addition to cache control, can regulate the caching behavior.

For backward compatibility with the no-cache directive and the HTTP 1.0 specification, the pragma header is used. It will disregard the pragma header if we supply the cache-control header.

Vary: This tells it that it can only send a cached response if every field in the header precisely matches the request that came in before. A new response is generated by the server if any of the fields are modified.

Illustrations of HTTP Cache Directives
We will now create an ASP.NET Core application to demonstrate how the cache directives work. Now let's add a controller action method to an ASP.NET Core Web API project that has been created.
public record EmployeeDto
{
    public Guid Id { get; init; }
    public string Name { get; init; }
    public EmployeeType Type { get; init; }
    public string Mno { get; init; }
    public decimal Salary { get; init; }
    public DateTime CurrentDate { get; init; } = DateTime.Now;
}

[HttpGet("{id}")]
public IActionResult GetById(Guid id)
{
    var emp = _employeeService.GetById(id);
    if (emp == null)
    {
        return NotFound();
    }

    return Ok(emp);
}

ResponseCache Attribute
The ResponseCache attribute for an ASP.NET Core application specifies the properties for configuring the relevant response caching headers. This attribute can be used for specific endpoints or at the controller level.

Let's update the API endpoint with the ResponseCache attribute.
[HttpGet("{id}")]
[ResponseCache(Duration = 120, Location = ResponseCacheLocation.Any)]
public IActionResult GetById(Guid id)
{
    var emp = _employeeService.GetById(id);

    if (emp == null)
    {
        return NotFound();
    }

    return Ok(emp);
}

The max-age header, which we use to set the cache duration for two minutes (120 seconds), is produced by this Duration property. In a similar manner, the cache-control header's location will be set by the Location property. Both the client and the server will be able to cache the response because we have the location set to Any, which is similar to the public directive of the cache-control header.

Let us now access the API endpoint and confirm these contents within the response headers.
cache-control: public,max-age=120

Furthermore, if the browser uses a cached response after we repeatedly invoke the endpoints, the response from the disk cache will be indicated in the status code.
200 is the status code (from disk cache).

Let's now examine the various ResponseCache parameter options.

All we have to do is update the Location property to ResponseCacheLocation.Client in order to change the cache location to private.
[ResponseCache(Duration = 60, Location = ResponseCacheLocation.Client)]

By doing this, the cache-control header value will be altered to private, indicating that the response can only be cached by the client.
cache-control: private,max-age=60

Let's now change ResponseCacheLocation.None as the Location parameter:
[ResponseCache(Duration = 60, Location = ResponseCacheLocation.None)]

This will cause the client to be unable to use a cached response without revalidating with the server, as it will set the cache-control and pragma headers to no-cache:

We can confirm that the server always generates a fresh response in this configuration, and the browser never uses the cached response.
cache-control: no-cache,max-age=60

We can confirm that the server always generates a fresh response in this configuration, and the browser never uses the cached response.

NoStore Property
Let's now set the ResponseCache attribute's NoStore property to true.
[ResponseCache(Duration = 60, Location = ResponseCacheLocation.Any, NoStore = true)]

This will cause the response's cache-control header to be set to no-store, telling the client not to cache the response.
cache-control: no-store

Keep in mind that this will take precedence over the Location value we set. The client won't save the answer in its cache in this instance either.

Though the cache-control no-cache and no-store values might produce identical test results, different browsers, clients, and proxies interpret these headers in different ways. No-cache simply means that the client should not use a cached response without revalidating with the server, whereas no-store instructs clients or proxies to not store the response or any portion of it anywhere.

The VaryByHeader property of the ResponseCache attribute can be used to set the vary header.
[ResponseCache(Duration = 60, Location = ResponseCacheLocation.Any, VaryByHeader = "User-Agent")]

Here, we set the VaryByHeader property to User-Agent, which means that if the request originates from the same client device, it will use the cached response. The User-Agent value will alter and the client device will request a fresh response from the server. Let us confirm this.

Let's first see if the response headers contain the vary header.
cache-control: public,max-age=60
vary: User-Agent

Consequently, we can force the server to send a fresh response for a different device by configuring the VaryByHeader property to User-Agent.

VaryByQueryKeys Property
When the specified query string parameters change, we can force the server to send a new response by utilizing the VaryByQueryKeys property of the ResponseCache attribute. Naturally, if we set the value to "*," we can create a fresh response each time a query string parameter changes.

For instance, if the ID value in the URI changes, we might want to produce a fresh response.
    …/emp?id=53C68EE5-107B-42DB-821E-E1F893C5BDA3
    …/emp?id=6E5692FA-EEF6-426A-B280-EF444CB2BA1E

To do this, let's alter the Get action to add the id parameter and supply the ResponseCache attribute's VaryByQueryKeys property.
[ResponseCache(Duration = 60, Location = ResponseCacheLocation.Any, VaryByQueryKeys = ["id"])]

Recall that in order to set the VaryByQueryKeys property, we must activate the Response Caching Middleware. The code will raise a runtime exception if it doesn't.

Response Cache Middleware
When a response can be cached, the ASP.NET Core application's Response Caching Middleware establishes this and stores and serves the response from the cache.

The Response Caching Middleware can be enabled by adding a few lines of code to the Program class.

// service inject
builder.Services.AddResponseCaching();

// in the middleware
app.UseResponseCaching();

Using the AddResponseCaching() method, we must first add the middleware. Afterwards, we can use the UseResponseCaching() method to configure the application to use the middleware.

That is all. Now that the Response Caching Middleware has been turned on, the VaryByQueryKeys property ought to function.

Now that the application is running, let's check the response cache.

It is evident that if the query string remains unchanged, we will receive a cached response; however, if we modify the query string, the server will send a fresh response. Let's examine the response cache and modify the value of the query string.

Take note that the VaryByQueryKeys property does not have a corresponding HTTP header. Response Caching Middleware oversees managing this HTTP feature.

We learned the new technique and evolved together.

Happy coding!

An asymmetric cryptography algorithm is the RSA algorithm. In actuality, asymmetric refers to the fact that it operates on both the public and private keys. As implied by the name, the private key is kept secret while the public key is distributed to everybody. I've used the BouncyCastle package for RSA encryption and decryption in the sample below.

Notes

• Key Size: The example uses a 2048-bit key, which is a common and secure size for RSA.
• Encoding: Data is encoded as UTF-8 before encryption and decoded back after decryption.
• Security: Always handle and store keys securely. Exposing private keys or mishandling encrypted data can compromise security.

Step 1. First, you need to install the BouncyCastle package. You can do this via NuGet.

Step 2. Import the required package into the service.
using Org.BouncyCastle.Crypto;
using Org.BouncyCastle.Crypto.Encodings;
using Org.BouncyCastle.Crypto.Engines;
using Org.BouncyCastle.Crypto.Parameters;
using Org.BouncyCastle.OpenSsl;
using Org.BouncyCastle.Security;

Encryption Complete method
public  string EncryptRSA(string plaintext)
{
    string encryptedText = "";
    byte[] plaintextBytes = Encoding.UTF8.GetBytes(plaintext);

    // Load the public key from a PEM string or file
    string publicKeyPem = @""; // Replace your public key here
    AsymmetricKeyParameter publicKey;
    using (var reader = new StringReader(publicKeyPem))
    {
        PemReader pemReader = new PemReader(reader);
        publicKey = (AsymmetricKeyParameter)pemReader.ReadObject();
    }
    // Initialize the RSA engine for encryption with the public key
    IAsymmetricBlockCipher rsaEngine = new Pkcs1Encoding(new RsaEngine());
    rsaEngine.Init(true, publicKey); // true for encryption
    // Encrypt the data
    byte[] encryptedData = rsaEngine.ProcessBlock(plaintextBytes, 0, plaintextBytes.Length);
    // Convert the encrypted data to a Base64 string for easy transmission/storage
    encryptedText = Convert.ToBase64String(encryptedData);
    return encryptedText;
}

Breakdown of the encryption method

Step 1
plaintextBytes: The input string is converted to a byte array using UTF-8 encoding. This byte array represents the data to be encrypted.
byte[] plaintextBytes = Encoding.UTF8.GetBytes(plaintext);

Step 2
StringReader: The publicKeyPem string is passed to a StringReader to create a text reader.
PemReader: This reads the PEM-formatted key and converts it into an AsymmetricKeyParameter object.
using (var reader = new StringReader(publicKeyPem))
{
    PemReader pemReader = new PemReader(reader);
    publicKey = (AsymmetricKeyParameter)pemReader.ReadObject();
}

Step 3

• IAsymmetricBlockCipher: This interface represents the RSA encryption engine.
• Pkcs1Encoding: This wraps the RsaEngine to add PKCS#1 padding, which is commonly used in RSA encryption.
• Init Method: The RSA engine is initialized for encryption by passing true along with the public key.

IAsymmetricBlockCipher rsaEngine = new Pkcs1Encoding(new RsaEngine());
rsaEngine.Init(true, publicKey); // true for encryption

Step 4

• ProcessBlock: This method processes the data (encrypts it) using the initialized RSA engine. It takes the plaintext bytes and returns the encrypted byte array.
• Convert.ToBase64String: The encrypted byte array is converted to a Base64 string. Base64 encoding is used to make the encrypted data easier to transmit or store, as it converts binary data into ASCII string format.

byte[] encryptedData = rsaEngine.ProcessBlock(plaintextBytes, 0, plaintextBytes.Length);
encryptedText = Convert.ToBase64String(encryptedData);

Output Sample for RSA Encryption

Decryption Complete method
public string DecryptRSA(string encryptedText)
{
    string decryptedText = "";
    try
    {

        string pemPrivateKey = @""; // Replace your private key here
        RsaPrivateCrtKeyParameters keyPair;
        using (var reader = new StringReader(pemPrivateKey))
        {
            keyPair = (RsaPrivateCrtKeyParameters)new PemReader(reader).ReadObject();
        }
        var rsaParams = DotNetUtilities.ToRSAParameters(keyPair);
        using (var rsa = new RSACryptoServiceProvider())
        {
            rsa.ImportParameters(rsaParams);
            // Convert encrypted text from Base64
            byte[] encryptedData = Convert.FromBase64String(encryptedText);
            // Decrypt the data
            byte[] decryptedData = rsa.Decrypt(encryptedData, RSAEncryptionPadding.Pkcs1);
            return Encoding.UTF8.GetString(decryptedData);
        }
    }
    catch { }
    return decryptedText;
}

Output sample for decryption

Conclusion

• The method loads a public RSA key from a PEM string.
• It initializes an RSA encryption engine using BouncyCastle.
• The plaintext is encrypted using the public key, and the resulting encrypted data is returned as a Base64-encoded string.

This encryption method ensures that the plaintext is securely transformed into an encrypted format using the RSA algorithm, which can then only be decrypted by the corresponding private key.

An essential component of online application security is session management. We fix a widespread issue in this post that lets potential attackers reuse existing session IDs to obtain unauthorized access to ASP.NET sessions even after they have been logged out. We'll go over how to apply best practices like SSL/TLS and secure cookie settings, as well as how to correctly invalidate sessions upon logout and regenerate session IDs upon login. You can safeguard your ASP.NET application against replay and session fixation attacks and provide a safer environment for your users by adhering to these rules.

How to Handle the Problem
1. Upon logout, invalidate the session
Make sure that when the user logs out, the session is appropriately invalidated. You can accomplish this by using Session.Abandon() in your logout procedure.
An illustration of the logout action

Example in Logout Action
public ActionResult Logout()
{
    // Clear the session
    Session.Abandon();
    Session.Clear();
    // Clear authentication cookies
    FormsAuthentication.SignOut();
    // Redirect to the login page or home page
    return RedirectToAction("Login", "Account");
}

Explanation

• Session.Abandon() marks the session as abandoned, which means that the session will no longer be used and a new session will be created for the next request.
• Session.Clear() removes all items from the session.
• FormsAuthentication.SignOut() logs the user out and clears the authentication ticket.

2. Regenerate the Session ID Upon Login
It's important to regenerate the session ID after a successful login to prevent session fixation attacks. This ensures that any previous session ID is no longer valid.

Example

public ActionResult Login(LoginViewModel model)
{
    if (ModelState.IsValid)
    {
        // Authenticate the user
        var isAuthenticated = Membership.ValidateUser(model.Username, model.Password);
        if (isAuthenticated)
        {
            // Regenerate session ID to prevent session fixation
            SessionIDManager manager = new SessionIDManager();
            string newSessionId = manager.CreateSessionID(HttpContext.Current);
            bool redirected = false;
            bool isAdded = false;
            manager.SaveSessionID(HttpContext.Current, newSessionId, out redirected, out isAdded);
            // Set authentication cookie
            FormsAuthentication.SetAuthCookie(model.Username, model.RememberMe);
            return RedirectToAction("Index", "Home");
        }
    }
    return View(model);
}

Explanation
The SessionIDManager is used to create a new session ID, which is then saved to the current session. This ensures that after logging in, the user’s session ID is different from the one used before authentication.

3. Enforce Session ID expiration
Set a shorter session timeout to minimize the risk of an old session ID being used.

Web. config Setting

<system.web>
    <sessionState timeout="20" />
</system.web>

Explanation
The timeout attribute specifies the number of minutes a session can be idle before it is abandoned. A shorter timeout can reduce the risk of session reuse.

4. Use SSL/TLS
Ensure that your application uses SSL/TLS to protect the session ID in transit. This prevents attackers from capturing the session ID via network sniffing.

5. Secure Cookies
Mark the session cookies as HttpOnly and Secure to prevent client-side access to the session ID and ensure they are only transmitted over secure connections.

Web. config Setting

<system.web>
    <authentication mode="Forms">
        <forms requireSSL="true" />
    </authentication>
    <sessionState cookieSameSite="Strict" />
</system.web>

Explanation

• requireSSL="true" ensures that cookies are only sent over HTTPS.
• cookieSameSite="Strict" helps prevent CSRF attacks by limiting the conditions under which cookies are sent.

Summary
By ensuring that the session is properly invalidated on logout, regenerating the session ID upon login, setting session expiration policies, and securing your application with SSL/TLS and secure cookies, you can effectively mitigate the risk of session fixation and replay attacks. This will enhance the overall security of your ASP.NET application.

This kind of testing includes evaluating several software components simultaneously, from beginning to end, and evaluates them collectively. Integration testing in the structured development process uses unit-tested modules as input, aggregates them into a bigger set, and runs integration tests according to the test plan's specifications to produce output results that trigger system testing. Because it allows you to test the system in real-time and gain valuable insights into how it functions, integration testing is crucial.

Difference between unit testing and integration testing
In unit testing, we concentrate on a brief section of code, typically one function or method. Verifying that a piece of code is functioning and delivering the desired outcome is the aim. In order to test the logic using fictitious data, external dependencies like as databases, APIs, or services are typically mocked.

Integration testing examines how various system components interact with one another. Integration tests, as opposed to unit tests, verify that the integrated components function as intended in a realistic setting by using real or in-memory databases and other services. For a deeper understanding, let's dive right into the code.

Setting Up the .NET Core Project for Integration Testing
In this project, we will create a test environment using docker containers to create the test db using Postgres docker image. Create a test project inside your project solution using the .NET XUnit template.

Let's install all the necessary Nuget packages. Below is a list of packages that are required for testing.

• Microsoft.AspNetCore.Mvc.Testing
• AutoFixture
• AutoFixture.AutoMoq
• Testcontainers
• Test containers.PostgreSQL

For setting up the test environment we need to use the WebApplicationFactory class provided by Microsoft.Net.

Understanding the WebApplicationFactory
WebApplicationFactory<TEntryPoint> is used to create a TestServer for integration tests. `TEntryPoint` refers to the entry point class of the System Under Test (SUT), which is usually the Program.cs class.

To use this in our testing project, we first need to expose the Program.cs class. The reason for this is to inform the testing project that this is the entry point of the system.
There are two ways to expose the Program.cs class to the testing project.
First, add the below XML in your starting project (WebAPI project).

The second is to create a partial class with the name public partial class Program { }

Setting up the Postgres container for our testing environment requires us to construct a customized version of our WebApplicationFactory class. The WebApplicationFactory class, which is inherited and implements the IAsyncLifetime interface, is modified in the version shown below. With this implementation, all resources acquired by the test environment or Docker container are released once our tests in Visual Studio Test Explorer have concluded, ensuring that the Postgres container is disposed of appropriately.

We also need to set up Docker Compose to fetch the latest PostgreSQL image. Right-click on the solution, then choose the "Container Orchestration Support" option and select Docker Compose. This will automatically add the required files to your solution. Add the below to your docker-compose.yml file.

To signal that the class contains tests and to offer shared object instances among the tests in the class, test classes implement the IClassFixture class fixture interface. To do that, let's implement IClassFixture<TWebAppFactory> and create a BaseIntegrationTest Class.

To construct a completely functional test environment, we must create a database and the necessary tables inside it after retrieving the Postgres image. Include migration code in the BaseIntegrationTest class's constructor as well.

Now we are all set with the test environment and let's move to the actual test. Create a test class in my case.

Now let's run the test from VisualStudio Test Explorer; also, add a docker desktop to your PC. When we run the test first it will fetch the image from the docker hub with the label "postgres: label" and set up the container with our provided configuration in the docker-compose.yml file.

Docker fetched the PostgreSQL image for us.

Here, you can also create containers, and those containers will automatically be disposed of after the test finishes.

As you can see from the result, our test has also been passed also.

Conclusion
Integration testing ensures that different components of an application work together correctly, validating end-to-end functionality and detecting issues not covered by unit tests. It is crucial for identifying integration problems and verifying that the system meets its requirements as a whole. Thanks for reading!

Step 1: Create an account on Stripe and obtain credentials
You must get your API keys and create a Stripe account before you can begin the integration. Take these actions.

• Visit stripe.com to register or log in to Stripe.
• Open the Dashboard and find the API area.
• Make a copy of your publishable key and secret key. These keys are going to be used for Stripe application authentication.

Step 2: Make an application using the.NET API
To integrate Stripe, create a new ASP.NET Core API application. Download the.NET SDK from the.NET website if it isn't already installed on your computer.
Launch a terminal or command prompt.

The command to start a new API project is as follows.
dotnet new webapi -n SubscriptionSystem

Navigate to the project directory.
cd SubscriptionSystem

Step 3: Set Up Stripe in .NET
To use Stripe, install the Stripe NuGet package in your .NET application.

Install the Stripe package.
dotnet add package Stripe.net

Add your Stripe secret key to the configuration.

Open appsettings.json and add the following.
{
  "Stripe": {
    "SecretKey": "your_stripe_secret_key"
  }
}

Step 4: Implement Subscription Functionality
Now, let's implement the subscription functionality. We will create a StripeController to handle the subscription process.

Creating the DTOs
First, create the necessary DTOs for handling Stripe data.

PaymentDto.cs
namespace SubscriptionSystem.Dtos
{
    public class PaymentDto
    {
        public string PaymentMethodId { get; set; }
        public string CustomerId { get; set; }
    }
}

StripePaymentRequestDto.cs
namespace SubscriptionSystem.Dtos
{
    public class StripePaymentRequestDto
    {
        public string Email { get; set; }
        public string PaymentMethodId { get; set; }
    }
}

StripeProductDto.cs
namespace SubscriptionSystem.Dtos
{
    public class StripeProductDto
    {
        public string Id { get; set; }
        public string Name { get; set; }
        public long Amount { get; set; }
        public string Currency { get; set; }
        public string Interval { get; set; }
    }
}

SubscriptionDto.cs
namespace SubscriptionSystem.Dtos
{
    public class SubscriptionDto
    {
        public string SubscriptionId { get; set; }
        public string CustomerId { get; set; }
        public string ProductId { get; set; }
    }
}

Creating the Service Interface and Implementation
Create an interface for the Stripe service and its implementation.

IStripeService.cs
using SubscriptionSystem.Dtos;

namespace SubscriptionSystem.Interfaces
{
    public interface IStripeService
    {
        Task<string> CreateCustomerAsync(string email, string paymentMethodId);
        Task<string> CreateSubscriptionAsync(string customerId, string priceId);
        Task CancelSubscriptionAsync(string subscriptionId);
        Task<StripeProductDto> CreateProductAsync(string name, long amount, string currency, string interval);
    }
}

StripeService.cs
using Stripe;
using SubscriptionSystem.Dtos;
using SubscriptionSystem.Interfaces;

namespace SubscriptionSystem.Services
{
    public class StripeService : IStripeService
    {
        public async Task<string> CreateCustomerAsync(string email, string paymentMethodId)
        {
            var options = new CustomerCreateOptions
            {
                Email = email,
                PaymentMethod = paymentMethodId,
                InvoiceSettings = new CustomerInvoiceSettingsOptions
                {
                    DefaultPaymentMethod = paymentMethodId
                }
            };
            var service = new CustomerService();
            var customer = await service.CreateAsync(options);
            return customer.Id;
        }

        public async Task<string> CreateSubscriptionAsync(string customerId, string priceId)
        {
            var options = new SubscriptionCreateOptions
            {
                Customer = customerId,
                Items = new List<SubscriptionItemOptions>
                {
                    new SubscriptionItemOptions { Price = priceId }
                },
                Expand = new List<string> { "latest_invoice.payment_intent" }
            };
            var service = new SubscriptionService();
            var subscription = await service.CreateAsync(options);
            return subscription.Id;
        }

        public async Task CancelSubscriptionAsync(string subscriptionId)
        {
            var service = new SubscriptionService();
            await service.CancelAsync(subscriptionId);
        }

        public async Task<StripeProductDto> CreateProductAsync(string name, long amount, string currency, string interval)
        {
            var productOptions = new ProductCreateOptions
            {
                Name = name,
            };
            var productService = new ProductService();
            var product = await productService.CreateAsync(productOptions);

            var priceOptions = new PriceCreateOptions
            {
                UnitAmount = amount,
                Currency = currency,
                Recurring = new PriceRecurringOptions { Interval = interval },
                Product = product.Id,
            };
            var priceService = new PriceService();
            var price = await priceService.CreateAsync(priceOptions);

            return new StripeProductDto
            {
                Id = price.Id,
                Name = product.Name,
                Amount = price.UnitAmount.Value,
                Currency = price.Currency,
                Interval = price.Recurring.Interval
            };
        }
    }
}

Creating the Controller
Create a StripeController to handle the subscription process.
StripeController.cs

using Microsoft.AspNetCore.Mvc;
using SubscriptionSystem.Dtos;
using SubscriptionSystem.Interfaces;

namespace SubscriptionSystem.Controllers
{
    [ApiController]
    [Route("api/[controller]")]
    public class StripeController : ControllerBase
    {
        private readonly IStripeService _stripeService;

        public StripeController(IStripeService stripeService)
        {
            _stripeService = stripeService;
        }

        [HttpPost("create-customer")]
        public async Task<IActionResult> CreateCustomer([FromBody] StripePaymentRequestDto paymentRequest)
        {
            var customerId = await _stripeService.CreateCustomerAsync(paymentRequest.Email, paymentRequest.PaymentMethodId);
            return Ok(new { CustomerId = customerId });
        }

        [HttpPost("create-subscription")]
        public async Task<IActionResult> CreateSubscription([FromBody] SubscriptionDto subscriptionDto)
        {
            var subscriptionId = await _stripeService.CreateSubscriptionAsync(subscriptionDto.CustomerId, subscriptionDto.ProductId);
            return Ok(new { SubscriptionId = subscriptionId });
        }

        [HttpPost("cancel-subscription")]
        public async Task<IActionResult> CancelSubscription([FromBody] SubscriptionDto subscriptionDto)
        {
            await _stripeService.CancelSubscriptionAsync(subscriptionDto.SubscriptionId);
            return NoContent();
        }

        [HttpPost("create-product")]
        public async Task<IActionResult> CreateProduct([FromBody] StripeProductDto productDto)
        {
            var product = await _stripeService.CreateProductAsync(productDto.Name, productDto.Amount, productDto.Currency, productDto.Interval);
            return Ok(product);
        }
    }
}

Step 5. Handling Stripe Webhooks
Stripe webhooks allow your application to receive notifications about changes to your customer's subscription status. To handle webhooks.

1. Create a Webhook Endpoint: This endpoint will receive webhook events from Stripe.
2. Verify the Webhook Signature: Ensure that the event is from Stripe by verifying the signature.

Setting Up the WebhookStripeController.cs[HttpPost("webhook")]
public async Task<IActionResult> Webhook()
{
    var json = await new StreamReader(HttpContext.Request.Body).ReadToEndAsync();
    try
    {
        var stripeEvent = EventUtility.ConstructEvent(
            json,
            Request.Headers["Stripe-Signature"],
            "your_stripe_webhook_secret"
        );

        // Handle the event
        if (stripeEvent.Type == Events.CustomerSubscriptionCreated)
        {
            var subscription = stripeEvent.Data.Object as Subscription;
            // Handle the subscription creation
        }
        else if (stripeEvent.Type == Events.CustomerSubscriptionDeleted)
        {
            var subscription = stripeEvent.Data.Object as Subscription;
            // Handle the subscription cancellation
        }

        return Ok();
    }
    catch (StripeException e)
    {
        return BadRequest();
    }
}

Update the Dependency Injection in the Program.cs
Make sure to register the Stripe service in the dependency injection container.

Program.cs
builder.Services.AddScoped<IStripeService, StripeService>();
builder.Services.AddScoped<ProductService>();
builder.Services.AddScoped<SubscriptionService>();

Conclusion
In this article, we went through the steps to integrate Stripe for subscription payments in an ASP.NET Core API application. This includes setting up Stripe, creating the necessary DTOs, implementing the service interface, and creating a controller to handle subscription functions. This template allows you to easily manage customer creation, product development, and subscription lifecycles. Stripe’s integration enhances your application by providing secure and reliable payment processing.

In.NET Core, access modifiers are essential for specifying how accessible classes, methods, and variables are. One of the main tenets of object-oriented programming (OOP) is encapsulation, which they assist enforce by deciding which sections of your code can access which members. The many kinds of access modifiers that are available in.NET Core will be discussed in this article, along with usage examples.

1. What are Access Modifiers?
In C#, classes, methods, properties, and other members can have their accessibility level specified using keywords called access modifiers. Access modifiers assist guard against accidental changes or misuse of your code by allowing you to manage which areas of your codebase can communicate with a specific class or member.

2. Types of Access Modifiers in .NET Core
There are five main access modifiers in .NET Core:

• Public
• Private
• Protected
• Internal
• Protected Internal
• Private Protected

Let's dive into each of these access modifiers.

3. Public Access Modifier
The public access modifier makes a class, method, or property accessible from any other code in the same assembly or another assembly that references it. It is the most permissive access level.

Example
public class Car
{
    public string Color { get; set; }
    public void Drive()
    {
        Console.WriteLine("The car is driving.");
    }
}

In this example, the Car class, its Color property, and the Drive() method are all accessible from any other code.

4. Private Access Modifier
The private access modifier restricts access to the containing class only. This means that members declared as private cannot be accessed from outside the class they are declared in.

Example

public class Car
{
    private string engineNumber;
    public void StartEngine()
    {
        Console.WriteLine("The engine has started.");
    }
}

Here, the engine number field is private and can only be accessed or modified by members of the Car class.

5. Protected Access Modifier
The protected access modifier allows access to the containing class and any class that derives from it. It is useful when you want to allow derived classes to access certain members of the base class.

Example
public class Vehicle
{
    protected int speed;
    public void Move()
    {
        Console.WriteLine("The vehicle is moving.");
    }
}
public class Car : Vehicle
{
    public void Accelerate()
    {
        speed += 10; // Accessible because Car inherits from Vehicle
        Console.WriteLine("The car is accelerating.");
    }
}

In this example, the speed field is protected, allowing the Car class to access it.

6. Internal Access Modifier
The internal access modifier limits access to the current assembly. This means that members marked as internal can be accessed by any code within the same assembly, but not from another assembly.

Example
internal class Engine
{
    internal void Start()
    {
        Console.WriteLine("Engine started.");
    }
}

Here, the Engine class and its Start() method are internal, meaning they can be accessed by any code within the same assembly but not from other assemblies.

7. Protected Internal Access Modifier
The protected internal access modifier is a combination of protected and internal. It allows access from any code within the same assembly and from derived classes in other assemblies.

Example
public class Vehicle
{
    protected internal int speed;
    public void Move()
    {
        Console.WriteLine("The vehicle is moving.");
    }
}

In this example, the speed field is accessible within the same assembly and by derived classes in other assemblies.

8. Private Protected Access Modifier
The private protected access modifier is a combination of private and protected. It allows access only within the containing class or derived classes that are within the same assembly.

Example
public class Vehicle
{
    private protected int speed;
    public void Move()
    {
        Console.WriteLine("The vehicle is moving.");
    }
}

Here, the speed field is accessible only within the Vehicle class and any derived classes in the same assembly.

9. Choosing the Right Access Modifier
Choosing the appropriate access modifier is important for maintaining the integrity and security of your code. Here are some guidelines:

• Use private for members that should only be accessible within the class.
• Use protected when you want derived classes to access members of the base class.
• Use internally for members that should be accessible across the same assembly but hidden from other assemblies.
• Use public for members that need to be accessible from any code.
• Use protected internal when you want to combine the accessibility of protected and internal.
• Use private protection when you want to restrict access to the containing class and derived classes within the same assembly.

10. Conclusion
Access modifiers are an essential part of object-oriented programming in .NET Core. They help you define the visibility and accessibility of your classes, methods, and variables, ensuring that your code is secure, modular, and easy to maintain. By understanding and correctly using access modifiers, you can better control the structure and behavior of your application, leading to more robust and reliable software.

When designing your classes and members, always consider the appropriate access level that aligns with the intended use of your code. This will help you avoid unintended access and maintain a clear and maintainable codebase.

Ever pondered the workings of a C# code? What is occurring behind the scenes? Let's dig deep into the history of C# code execution in this blog post, focusing on the crucial element known as CLR, which is in charge of carrying out our code.

Prior to delving into the fundamentals of CLR, let's grasp some fundamental ideas,

A controlled code: what is it?
Managed code, or just code that executes under the supervision of a runtime environment, is code that we write with a language compiler that targets a runtime.

Why Managed Code?
Managed code with a runtime environment gives a number of benefits.

• Memory Management
• Security
• Cross Platform compatibility
• Cross-language integrity
• Exception handling
• Debugging and profiling services etc.

How does it operate?
Every runtime loadable portable executable (PE) file, such as dll and exe, has metadata and a common Intermediate language (CIL) that identifies types, members, and references. These are produced by language compilers. This method is used by the runtime to find and load classes, arrange memory, and resolve method invocation. A built-in compiler will convert CIL to native code while the procedure is running. One way to sum up the managed code execution process is as follows.

1. Compiling source code to CIL by Language compiler]
2. Translating the CIL to native code during execution
3. Running the code using the metadata from the PE file with provided memory management, Type checking, and exception handling.

Fantastic We now understand what managed code is and how a runtime interacts with it. Let's get right into Core CLR. The runtime environment supplied by.net core, known as Core CLR, is in charge of managing code execution. There are several language compilers that target the Core CLR runtime, including Visual Basic, C#, Visual C++, F#, Perl, and COBOL. Let's use C# as an example to delve deeper into the CLR.

Our language compiler creates metadata and translates C# code into Common Intermediate Language (CIL), a low-level, CPU-independent set of instructions that was formerly known as Microsoft Intermediate Language (MSIL). A language compiler creates this intermediate, which CLR will then further compile into machine code. CLR receives this.

Let's now examine the function of CLR. CLR must compile CIL to native code based on the architecture of the target machine in order to carry out the instructions given in the form of CIL..NET offers two methods for this purpose.

1. Just-in-time compiler (JIT)
2. Native Image Generator

Just-in-time compiler
JIT converts the CIL to machine code during runtime on demand when the content of assembly is loaded and executed.

How it works?

• The method is executed, CLR hands over the CIL for the method to JIT
• JIT will translate the code to machine code
• The Generated machine code is cached, so the subsequent calls to the method will be handled from the cache.
• Native machine code is executed by the CPU.

Types of JIT
.net core runtime includes several types of JIT compilation strategies.

Tired Compilation
Aims to provide fast startup and High throughput. It involves compiling the methods in two tiers.

• Tier 0 – Quick JIT: Methods are initially compiled with minimal optimization to provide faster throughput
• Tier 1 – Optimized JIT: Methods that are executed frequently are recompiled with higher optimization.

Regular JIT
These are the regular JIT, Where the methods are initially compiled with higher optimization and cached.

• Pre-compilation (Ready to Run – R2R): R2R is a case of ahead-of-time compilation, where the CIL code is compiled to native code during the build time itself.
• Dynamic Profile Guided Optimization: This is a highly advanced option, where the runtime collects profiling information about the application while it runs and uses this data to optimize the code.

Native Image Generator
JIT compiler converts the CIL code to machine code when methods defined in the assembly are invoked. This will have a negative impact on the performance, and also, the code generated by the JIT compiler is bound to the process that triggered the compilation. It cannot be shared among other processes. To allow the generated machine code to be shared among multiple processes, the CLR supports ahead-of-time compilation (AOT) mode. This mode uses Ngen.exe I to convert CIL to machine code as JIT does, but slightly in a unique way.

How does Ngen.exe work?
It performs CIL to Machine code conversion before running the application. It compiles the entire assembly, one at a time, and stores the machine-generated code in Native Image Cache as a file on the disk.

Now let’s go back to the CLR, Let’s see what the other functionalities of CLR other are than converting CIL to Machine Code. Another key role of the CLR is to perform Verification of the CIL code. The CLR always examines the CIL code to make sure it is type-safe. Type safety means the code only accesses the memory locations it is authorized to do. This type of safety verification makes sure the objects are isolated from each other and it avoids any kind of corruption. CLR uses various verification steps like,

• Verifies the value assigned to the variable matches the declared types.
• Verifies the method calls using the correct number and type of the arguments.
• Validate the meta data and make sure the members are defined correctly matching their metadata, external libraries used are resolved properly.

Like these, various validations are available. Finally, the CLR does the job of executing the generated machine code. During this time CLR provides a lot of added functionalities like Garbage Collection, Thread Handling, Interoperability, etc. These we will discuss in detail in my upcoming blog.

According to the RFC 7515 standard, JWS (JSON Web Signature) is a small, URL-safe technique for securely conveying claims between two parties. It gives you the ability to digitally sign documents and guarantees that they weren't altered in transit. A particular kind of message authentication code (MAC) called HMAC (Hash-based Message Authentication Code) uses a secret cryptographic key along with a cryptographic hash function. When JWS is used, computing the JWS Signature with a secret key and a hash function is known as employing HMAC.

Why Use JWS HMAC?

• Integrity and Authenticity: JWS with HMAC provides both data integrity and authentication. The signature ensures that the data has not been altered, and since the HMAC key is secret, it can verify that the sender (or signer) of the JWT is who they claim to be.
• Security: HMAC is considered a strong method of ensuring data integrity because it involves a secret key, which makes it difficult to forge compared to non-keyed hashes.
• Compactness: JWS provides a compact way to securely transmit information via URLs, HTTP headers, and within other contexts where space is limited.

How to Use JWS HMAC in an ASP.NET Web Application?
You'll usually be working with JWT (JSON Web Tokens), where JWS forms the signed and encoded string, in order to employ JWS HMAC in an ASP.NET application. Here's how to put this into practice:

Step 1. Install Necessary NuGet Package
A JWT-capable library is required. System is a well-liked option.IdentityModel.Coins.JWT. NuGet can be used to install it.
Install-Package System.IdentityModel.Tokens.Jwt

Step 2. Create and Sign a JWT with HMAC
Here's how you can create a JWT and sign it using HMAC in your ASP.NET application.
using System;
using Microsoft.IdentityModel.Tokens;
using System.IdentityModel.Tokens.Jwt;
using System.Text;
using System.Security.Claims;

public class TokenService
{
    public string GenerateToken()
    {
        var secretKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes("your-256-bit-secret"));
        var signinCredentials = new SigningCredentials(secretKey, SecurityAlgorithms.HmacSha256);

        var tokenOptions = new JwtSecurityToken(
            issuer: "https://yourdomain.com",
            audience: "https://yourdomain.com",
            claims: new List<Claim>(),
            expires: DateTime.Now.AddMinutes(30),
            signingCredentials: signinCredentials
        );

        var tokenString = new JwtSecurityTokenHandler().WriteToken(tokenOptions);

        return tokenString;
    }
}

Explanation

• Secret Key: This is a key used by HMAC for hashing. It should be kept secret and secure.
• Signing Credentials: Uses the secret key and specifies the HMAC SHA256 algorithm for signing.
• JwtSecurityToken: Represents the JWT data structure and allows setting properties like issuer, audience, claims, expiry time, etc.
• JwtSecurityTokenHandler: Handles the creation of the token string.

Step 3. Validate the JWT in ASP.NET
When you receive a JWT, you need to validate it to ensure it's still valid and verify its signature.
public ClaimsPrincipal ValidateToken(string token)
{
    var tokenValidationParameters = new TokenValidationParameters
    {
        ValidateIssuer = true,
        ValidateAudience = true,
        ValidateLifetime = true,
        ValidateIssuerSigningKey = true,
        ValidIssuer = "https://www.hostforlifeasp.net",
        ValidAudience = "https://www.hostforlifeasp.net",
        IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes("your-256-bit-secret"))
    };

    var tokenHandler = new JwtSecurityTokenHandler();
    SecurityToken validatedToken;
    var principal = tokenHandler.ValidateToken(token, tokenValidationParameters, out validatedToken);
    return principal;
}

Note. Please change www.hostforlifeasp.net to www.yourdomain.com

This function uses JwtSecurityTokenHandler to validate the token and sets up the parameters (issuer, audience, lifetime, and signature key) that require validation. It throws an exception if the token is invalid and returns a ClaimsPrincipal with the token's claims.

Conclusion
A secure method for managing tokens for information exchange and authentication in ASP.NET is to use JWS HMAC. It gives you piece of mind and security for your online applications by making sure the tokens are authentic and unaltered.

Using a dedicated object instance of the System, developers may now improve performance and security in their multithreaded applications with the release of.NET 9 and C# 13.Threading.type of lock. The advantages of utilizing this new feature, the newly introduced compiler warnings, and the best practices for locking in earlier.NET and C# versions are all covered in this article.

System.Threading.Lock: Why Use It?
Locking a dedicated object instance of the System, starting with C# 13 and.NET 9.Threading.It is advisable to choose a lock type for best results. In multithreaded contexts, this particular lock object is intended to reduce overhead and enhance concurrency.

Warnings from compilers for increased safety
The compiler now raises warnings if a known Lock object is cast to a different type and locked in order to improve code safety. By ensuring that locks are utilized correctly and preventing potential misuse, this lowers the possibility of deadlocks and contention problems.

Best practices for Locking in Older versions

If you're working with an older version of .NET and C#, it's essential to follow best practices to avoid common pitfalls in multithreading. Here are some guidelines.

• Use a Dedicated Object Instance: Always lock on a dedicated object instance that isn't used for another purpose. This helps prevent unintended side effects and conflicts.
• Avoid Using Common Instances as Lock Objects

• Avoid this: Locking on this can lead to issues as callers might also lock the same object, causing deadlocks.
• Avoid Type Instances: Type instances obtained via the type operator or reflection can be accessed from different parts of the code, leading to unintended locks.
• Avoid string Instances: Strings, including string literals, might be interned, causing different parts of the application to inadvertently share the same lock object.

• Minimize Lock Duration: Hold a lock for the shortest time possible to reduce lock contention. This practice ensures that other threads are not blocked for extended periods, improving overall application performance.

Example of using System.Threading.Lock
Here's an example of how to use the new System.Threading.Lock in .NET 9 and C# 13.

public class MyClass
{
    private readonly System.Threading.Lock _lock = new();
    public void CriticalSection()
    {
        lock (_lock)
        {
            // Critical code here
        }
    }
}

Example
The following example defines an Account class that synchronizes access to its private balance field by locking on a dedicated balance lock instance. Using the same instance for locking ensures that two different threads can't update the balance field by calling the Debit or Credit methods simultaneously. The sample uses C# 13 and the new Lock object. If you're using an older version of C# or an older .NET library, lock an instance of an object.
using System;
using System.Threading.Tasks;
public class Account
{
    // Use `object` in versions earlier than C# 13
    private readonly System.Threading.Lock _balanceLock = new();
    private decimal _balance;
    public Account(decimal initialBalance) => _balance = initialBalance;
    public decimal Debit(decimal amount)
    {
        if (amount < 0)
        {
            throw new ArgumentOutOfRangeException(nameof(amount), "The debit amount cannot be negative.");
        }
        decimal appliedAmount = 0;
        lock (_balanceLock)
        {
            if (_balance >= amount)
            {
                _balance -= amount;
                appliedAmount = amount;
            }
        }
        return appliedAmount;
    }
    public void Credit(decimal amount)
    {
        if (amount < 0)
        {
            throw new ArgumentOutOfRangeException(nameof(amount), "The credit amount cannot be negative.");
        }

        lock (_balanceLock)
        {
            _balance += amount;
        }
    }
    public decimal GetBalance()
    {
        lock (_balanceLock)
        {
            return _balance;
        }
    }
}
class AccountTest
{
    static async Task Main()
    {
        var account = new Account(1000);
        var tasks = new Task[100];
        for (int i = 0; i < tasks.Length; i++)
        {
            tasks[i] = Task.Run(() => Update(account));
        }
        await Task.WhenAll(tasks);
        Console.WriteLine($"Account's balance is {account.GetBalance()}");
        // Output:
        // Account's balance is 2000
    }
    static void Update(Account account)
    {
        decimal[] amounts = { 0, 2, -3, 6, -2, -1, 8, -5, 11, -6 };
        foreach (var amount in amounts)
        {
            if (amount >= 0)
            {
                account.Credit(amount);
            }
            else
            {
                account.Debit(Math.Abs(amount));
            }
        }
    }
}

A centralized user authentication system called Single Sign-On (SSO) enables users to log in just once and access numerous apps. By eliminating the need for several passwords and lowering the possibility of password fatigue, SSO improves user comfort and security. This article explores utilizing IdentityServer4 to provide SSO in an ASP.NET Core application.

Comprehending SSO
A central identity provider (IdP) is given authentication duties by SSO. The service sends the user to the IDP for authentication when they try to access it. The IDP provides a token that the service uses to confirm the user's identity after successful authentication.

Why Use SSO?
Improved User Experience: Users log in once to access multiple applications.
Enhanced Security: Centralized authentication reduces password-related risks.
Simplified Management: Administrators manage a single authentication system.
Compliance: Easier to enforce security policies and compliance requirements.

Implementing SSO with ASP.NET Core and IdentityServer4
Step 1. Setting Up IdentityServer4
Create a new ASP.NET Core project
dotnet new mvc -n SSOApp
cd SSOApp

Add IdentityServer4 NuGet package
dotnet add package IdentityServer4
dotnet add package IdentityServer4.AspNetIdentity

Configure IdentityServer4 in Startup.cs
public void ConfigureServices(IServiceCollection services)
{
services.AddControllersWithViews();
services.AddIdentity<ApplicationUser, IdentityRole>()
    .AddEntityFrameworkStores<ApplicationDbContext>()
    .AddDefaultTokenProviders();
services.AddIdentityServer()
    .AddDeveloperSigningCredential()
    .AddInMemoryIdentityResources(Config.IdentityResources)
    .AddInMemoryApiResources(Config.ApiResources)
    .AddInMemoryClients(Config.Clients)
    .AddAspNetIdentity<ApplicationUser>();
services.AddAuthentication()
    .AddGoogle("Google", options =>
    {
        options.ClientId = "your-client-id";
        options.ClientSecret = "your-client-secret";
    });
}
public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
if (env.IsDevelopment())
{
    app.UseDeveloperExceptionPage();
}
else
{
    app.UseExceptionHandler("/Home/Error");
    app.UseHsts();
}
app.UseHttpsRedirection();
app.UseStaticFiles();
app.UseRouting();
app.UseIdentityServer();
app.UseAuthorization();
app.UseEndpoints(endpoints =>
{
    endpoints.MapDefaultControllerRoute();
});
}

Define Identity Resources, API Resources, and Clients in Config. cs
public static class Config
{
public static IEnumerable<IdentityResource> IdentityResources =>
    new List<IdentityResource>
    {
        new IdentityResources.OpenId(),
        new IdentityResources.Profile(),
    };
public static IEnumerable<ApiResource> ApiResources =>
    new List<ApiResource>
    {
        new ApiResource("api1", "My API")
    };
public static IEnumerable<Client> Clients =>
    new List<Client>
    {
        new Client
        {
            ClientId = "client",
            AllowedGrantTypes = GrantTypes.ClientCredentials,
            ClientSecrets =
            {
                new Secret("secret".Sha256())
            },
            AllowedScopes = { "api1" }
        }
    };
}

Step 2. Setting Up a Client Application
Create a new ASP.NET Core MVC project
dotnet new mvc -n ClientApp
cd ClientApp

Add necessary NuGet packages
dotnet add package Microsoft.AspNetCore.Authentication.OpenIdConnect
dotnet add package Microsoft.AspNetCore.Authentication.Cookies

Configure authentication in Startup. cs
public void ConfigureServices(IServiceCollection services)
{
services.AddControllersWithViews();
services.AddAuthentication(options =>
{
    options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
    options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
})
.AddCookie()
.AddOpenIdConnect(options =>
{
    options.Authority = "https://localhost:5001";
    options.ClientId = "client";
    options.ClientSecret = "secret";
    options.ResponseType = "code";
    options.SaveTokens = true;
    options.Scope.Add("api1");
    options.Scope.Add("offline_access");
});
}
public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
if (env.IsDevelopment())
{
    app.UseDeveloperExceptionPage();
}
else
{
    app.UseExceptionHandler("/Home/Error");
    app.UseHsts();
}
app.UseHttpsRedirection();
app.UseStaticFiles();
app.UseRouting();
app.UseAuthentication();
app.UseAuthorization();
app.UseEndpoints(endpoints =>
{
    endpoints.MapDefaultControllerRoute();
});
}

Step 3. Testing the SSO Implementation
Run the IdentityServer4 and Client applications.
dotnet run --project SSOApp
dotnet run --project ClientApp

Access the Client application: Navigate to the Client application URL (e.g., https://localhost:5002).
Initiate Login: Click the login button to redirect you to the IdentityServer4 login page.
Authenticate: Provide your credentials, and upon successful authentication, you will be redirected back to the Client application with the SSO session established.

Conclusion
Implementing Single Sign-On in ASP.NET Core applications using IdentityServer4 significantly improves user experience and security. By centralizing authentication, you streamline user management and enhance overall security. This article provides a comprehensive guide to setting up SSO in your ASP.NET Core applications, paving the way for a more efficient and secure authentication process.