Cookie Authentication & CRSF with AngularJs, Owin & Mono

I'm currently working on a project that has Nancy serving up an API. For the UI there is AngularJS. We were using JWT for authentication just to get us up and running but then as things became more final in the product we knew it would be better to swap to cookies for security plus we may as well leverage the browser capabilities for cookie handling. I'm not going to get into the arguments about JWT security vs cookie security, there are advantages/disadvantages for using both in this scenario. Our API is built on top of OWIN and Microsoft provide cookie middleware so I thought this would be nice and simple to plug in. Lets just remember I'm working on Mono!

In our Startup class I


Nancy 1.0 and the Book

In light of Nancy recently reaching 1.0 (and quickly thereafter 1.1), I thought it was appropriate to revisit my Nancy book, and the running code sample in it on Nancy 1.1. This post looks at what's changed and what I might have coded differently now.

But first,

Is the Book still Relevant?

Yes, I think the book is still relevant. Almost all the code works unchanged with Nancy 1.1, and Nancy still follows the same principals and philosophy. I still think the book is a quick way to get introduced to Nancys way of doing things, the DSLs it provides and it awesome extensibility.
(But then again, I may be slightly biased)

What Broke Between Then and Now?

After updating the Nancy packages in my copy of


Using Nancy.Linker with Razor Views

First things first: I recommend that you use Nancy.Linker to generate link in the route handler not the view code, as described in my last post. If you insist on generating the links in the view code here is how to make Nancy.Linker work with Razor views.

Firstly you need to pass an instance on IResourceLinker and the NancyContext to your view. This works just like passing any other object from the handler to the view  - in your Nancy module you have your route handler pass the IResoureLinker and NancyContext objects as part of the model to the view you want to render:

The NancyContext must  passed along with the IResourceLinker, since Nancy.Linker needs it to generate links. Once


Permament redirect to HTTPS with IIS

Google has just recently updated their search results to give higher ranking to sites with an SSL Certificate, than to sites without, which is one of the best changes Google has made in recent years. There really is no excuse for not having a cert now. (note, this is limited to small portion of sites but lets assume that this will be rolled out if Google proves it to be worth while)

googleonlinesecurity - https-as-ranking-signal_6.html

Unfortuntely for me it seems Github Pages does not support Certificates on custom domain names, yet... :( hopefully they will support this eventually so that I can avoid moving my blog.

So one thing that pops up in the Nancy channel on JabbR


Nancy, ASP.Net vNext, OSX and Sublime Text

One of the great things that ASP.Net vNext is bringing is the ability to use it cross platform with Microsoft actively testing their libraries against Mono. Along with this MS are developing a web server that is cross platform and goes by the name of Kestrel. One thing they aren't doing, yet, is making Visual Studio cross platform so we need something to write our code in. There a few editors out there but one of the most common is Sublime Text. This gives you syntax highlighting and build systems that can all be configured so if you are not aware of it check it out. Obviously before we can start writing code on OSX with our editor we need Mono installed.

UPDATE - As of August 13th


Using Nancy.Linker with Views


You have two options: 
  • The simplest is to use Nancy.Linker in your route handler to generate the links needed in the views, put them on the view model and pass the view model to the view as usual. 
  • The other is to pass IResourceLinker to the view and allow it to generate links as needed. For this to work you may need a little bit of web.config'ing to make Razor play nice. 
This post shows the former.

Nothing New

In the last post I introduced Nancy.Linker, showed how to use it to create links to named routes and place them on a model object returned by a Nancy route handler.

In essence; given this module:

This route handler will return a model with a link to the route in the




Nancy.Linker is a small library for creating URIs for named routes in Nancy application that I released to NuGet the other day.

Purpose of Nancy.Linker

The problem Nancy.Linker solves is to allow your application code to create URIs pointing to endpoints in your Nancy application without hardcoding the URI. Instead you refer to the endpoint by its route name and provide values for whatever route parameters the route expects. The library then returns you a suitable System.Uri.


Let's consider a Nancy application with this module in it:

The module does nothing interesting, but bear with me. The thing to notice is that FooModule has all sorts of routes - a constant one, one with a


Changing the way we work on GitHub

Being a distributed team, GitHub is our single most important piece of the puzzle that makes up Nancy. With the recent changes in our governance, we felt we needed to make some changes on how we work on GitHub.


Nancy hosting, OWIN and ASP.NET vNext

Nancy has always been disconnected from the underlaying host, enabling you to run Nancy on top of ASP.NET, self-hosted, as part of your WCF service, or embedded pretty much wherever you want.

We were also the first full framework to adopt OWIN based hosting, through our Nancy.Hosting.Owin nuget. With the recent 0.23.0 release we moved our OWIN host into the core project as a stepping stone.


Nancy moving forward

Recently we had a meeting that was made up of Me, Steven and most of the Most Valued Minions. On the agenda was everything from discussing the governance of the project, to making plans for a v1, looking over the state of our GitHub repository and much more.

A lot of ground was covered and the intention of this blog series is to try and get down as much as possible of what we said and decided. We believe in developing in the open, so it is important that we get the information out to our community.

Please do not hesitate to reach out to us if you have any questions, suggestions and just want to share your thoughts on the subjects!

Here is a tl;dr of the posts

  • Most Valued Minions can