Node.

js, AI Copilot, Laravel, Azure Active Directory

SEP
OCT
2023
codemag.com - THE LEADING INDEPENDENT DEVELOPER MAGAZINE - US $ 8.95 Can $ 11.95

The World of
Server-Side Events
Cover: @midjourney + onsightdesign

Preventing Azure Building Web Enlisting AI

AD Mistakes APIs With Node.js Copilots
DO YOU WONDER
HOW ARTIFICIAL
INTELLIGENCE CAN
BENEFIT YOU TODAY?
EXECUTIVE BRIEFINGS
Do you wonder how AI can help your business? Do you worry about privacy or regulatory issues stopping
you from using AI to its fullest? We have the answers! Our Executive Briefings provide guidance and concrete
advice that help decision makers move forward in this rapidly changing age of artificial intelligence and
Copilot-enabled software!

We will send an expert to your office to meet with you. You will receive:
1. An overview presentation of the current state of AI.
2. Learn how to use AI in your business while ensuring privacy of your and your clients’ information.
3. We’ll build a sample application built on your own HR documents – allowing your employees to query
those documents in English, which will cut down the number of questions that you
and your HR group have to answer.
4. A roadmap for future use of AI catered to what you do.

AI-SEARCHABLE KNOWLEDGEBASE AND DOCUMENTS

A great first step into the world of generative artificial intelligence, large language models (LLMs),
and GPT is to create an AI that provides your staff or clients access to your institutional knowledge,
documentation, and data through an AI-searchable knowledgebase. We can help you implement a first
system in a matter of days in a fashion that is secure and individualized to each user. Your data remains yours!
Answers provided by the AI are grounded in your own information and is thus correct and applicable.

COPILOTS FOR YOUR OWN APPS

Applications without Copilots are now legacy!
But fear not! We can help you build Copilot features into your applications in a secure and integrated fashion.

CONTACT US TODAY FOR A FREE CONSULTATION AND DETAILS ABOUT OUR SERVICES
codemag.com/ai-services
832-717-4445 ext. 9 • [email protected]
 TABLE OF CONTENTS

Features
8 Top Azure Active Directory 58 Vite and Progressive Web Apps
Mistakes Shawn shows you how the development build environment Vite
uses abstraction for packaging, offline work, and installing a
Sahil examines some of the most common mistakes and misunderstood website outside the JavaScript framework.
concepts that cause insecure applications in Active Directory. Shawn Wildermuth
The protocols he covers are portable to any identity platform.
Sahil Malik
63 Authentication in Laravel, Part 2:
15 Building Web APIs Using Node.js Token Authentication
and Express: Part 3 In Part 2 of Bilal’s Authentication series, you learn about how
tokens work and what you can do to take advantage of the
In the third article of this series, Paul examines how to build a website token options that Laravel offers.
using Node.js and Express to serve web pages, how to use a templating Bilal Haidar
engine called Mustache to create dynamic web pages from the data
retrieved from API calls, and how to configure cross-domain resource
sharing (CORS).
Paul D. Sheriff

28 Applying DDD Thinking to Refactor Columns

Aggregate Filters 74 CODA: What Lies at Agile’s Heart
Julie explains how bounded context in Domain-Driven Design might
John takes a look at the history of Agile development and
be a good solution if you’ve got a complex series of iterations within
explores the difference between the process and the result.
filtering software.
John V. Petersen
Julie Lerman

34 Developing Real-Time Web

Applications with Server-Sent
Events in ASP.NET 7 Core
Departments
Joydip shows you how to build real-time web applications with Server-
Sent Events (SSE) in ASP.NET Core, including the core concepts of SSE,
6 Editorial
the features, benefits, and downsides of SSE, and how to implement
real-time updates, etc.
Joydip Kanjilal
12 Advertisers Index

46 Getting Started with AI Copilots in 73 Code Compilers

Your Own Applications
Markus looks at how you can get AI tools to handle some of the more
basic tasks with a tool called Copilot so your dev team can focus on
more important things.
Markus Egger

US subscriptions are US $29.99 for one year. Subscriptions outside the US pay $50.99 USD. Payments should be made in US dollars drawn on a US bank. American
Express, MasterCard, Visa, and Discover credit cards are accepted. Back issues are available. For subscription information, send e-mail to [email protected]
or contact Customer Service at 832-717-4445 ext. 9.
Subscribe online at www.codemag.com
CODE Component Developer Magazine (ISSN # 1547-5166) is published bimonthly by EPS Software Corporation, 6605 Cypresswood Drive, Suite 425, Spring, TX 77379 U.S.A.
POSTMASTER: Send address changes to CODE Component Developer Magazine, 6605 Cypresswood Drive, Suite 425, Spring, TX 77379 U.S.A.

4 Table of Contents codemag.com

 EDITORIAL
Error-Driven Development
Any developer who’s been in this profession for any amount of time will relate to this story. I was
working on an application integration using a vendor’s REST API. The purpose of this integration was
to manipulate metadata across several different customer sites and the documents contained within.
My initial uses of the API went well. I was able
to query the main list of sites and then I was
able to get a list of the documents for each
site. The only problem was that once I tried to
access documents beyond the first site in the
list, I received an HTTP 403 error. This error is a
security access error that says the current user
doesn’t have proper access to the requested re-
source.
This was strange. The account I was using to
test was a Site Administrator account with full
access. It was a head-scratcher. So I started
doing what all developers do when faced with
a difficult challenge. I went fishing for ideas
(AKA trying stuff). My first thought was to set
up an account with different rights. I gave that
a try only to be foiled by licensing. There were
no licenses available, so I was going to need to
go a different route. I did what all good devel-
opers do: I consulted Google and came up with
a few loose threads, but for the most part, it
was no help.
Back to the drawing board. I decided to return
to the code to try to reproduce the error and see
if there was any additional information I might
have missed. With a few tweaks, I was able to
reproduce the error. It returned the same vague
error. Okay, now what? I returned to the code
and tweaked something to see if I could get a
different answer. (It worked with my parents,
so why not this API? LOL.) After a few more
failed attempts, I finally received a different
error value. It read something like: “The current
logged in user is not authenticated against this
site.”
BINGO! I had a new error to investigate, this
time with actionable information. I returned to
the documentation to be informed that I need-
ed to authenticate against each site individu-
ally versus sharing a single common authenti-
cation. I quickly tweaked my code to authenti-
cate with each site individually. Huzzah! This
worked perfectly. After this blocker, I was able
to finish my application integration in short or-
der. Error-driven development had worked.
I smile at the irony of causing errors (bugs)
to find solutions to fixing other errors (more
bugs). It’s not every day that you get paid to
6 Editorial
cause a bug. But I digress. What happened sense in my mind. My technique was to ask the
here? Was some senior-developer Jedi mind student this question in return: “Can you ask
trick used to root out the culprit? Or was it that a different way?” This required the student
something else? to rethink the problem and gave me a few more
beats to come up with an answer. This tech-
It was 100% something else. nique was often successful, and I continue its
use it today when working on solving problems
Let’s talk about another development story. with other teammates.
Last week, I was working with a colleague who
came to me with the following message over So now you have a tool to solve sticky prob-
Teams: “When you have a few cycles, can you lems. Simply ask yourself: “Can I look at this
take a look at the data for client ABDC to see another way?”
why it might not be loading?” I was between
tasks, so I took a look right away. This was a
new client, so I queried the data warehouse to Rod Paddock
see if they had their initial setup made. Here’s
the query:
SELECT * FROM v_clients WHERE code = 'ABDC'
Zero records returned. I returned to Teams: “Hey
COLLEAGUE. Are you sure this client was set up
at all? Not seeing it in v_clients. Is the spelling
proper?” The answer came back immediately:
“Doh?!?!? Yeah, that’s the problem ABCD not
ABDC. Thanks for the assist!” Huzzah! Another
victory. Was it my Jedi-level query skills that
solved this problem or was it something else?
It was 100% something else.
In each of these situations, it wasn’t the micro
solutions of error codes and queries that solved
the problem. Nope. What was it? I posit that
the solution to the fix was applying a differ-
ent perspective to each given problem. In the
former, it was triggering a different error code
and the latter solution was achieved by sim-
ply having someone else look at the problem.
I can’t tell you how many times that particular
colleague helped me find a bug with laser-like
precision in a millisecond just by looking at a
block of code for a moment. “There it is!” The
old fresh-pair-of-eyes technique seems to al-
ways work.
Sometimes you need to step away from a
problem to find a different path to solving it.
There’s an old technique I learned when I was
doing professional developer training. Some-
time students pose questions that I would find
difficult to understand or that just didn’t make
codemag.com
APPS
WITHOUT
COPILOTS
ARE NOW
LEGACY!
Microsoft has introduced Copilot-enabled applications and announced that all Microsoft applications
will follow this approach going forward. This aims to capitalize on the extreme productivity
gains this new paradigm promises. Microsoft also has tools to let you create Copilots for
your own applications and systems.

CODE Consulting can help you build Copilots into your own applications.

VISIT OUR COPILOT PAGE TO FIND OUT MORE ABOUT OUR SERVICES
AND TO SEE DEMONSTRATIONS AND EXAMPLES!
codemag.com/copilot
832-717-4445 ext. 9 • [email protected]
 ONLINE QUICK ID 2309021
Top Azure Active Directory Mistakes
Like any developer, I’m constantly challenged by the pace of technology. I’ve been in this industry for a few years, and almost
anyone reading this with similar experience under their belt will agree with me that writing code today is quite different than it
was many years ago. Many years ago, we paid a lot of attention to every logic path. Before any product was released, a lot of care
Sahil Malik
www.winsmarts.com
@sahilmalik
Sahil Malik is a Microsoft
MVP, INETA speaker,
a .NET author, consultant,
and trainer.
Sahil loves interacting
with fellow geeks in real
time. His talks and train-
ings are full of humor and
practical nuggets.
His areas of expertise are
cross-platform Mobile app
development, Microsoft
anything, and security
and identity.
8 Top Azure Active Directory Mistakes
was given to the API surface, and thinking through every
possible way it would be used and abused. Products were
released later, documentation was released first. Then
some of us worked closely with product groups and wrote
books.
How times have changed! Development today is built as a
skyscraper of SDKs that we constantly update, sometimes
automatically, and almost never understand the inner
workings and dependencies of. Security vulnerabilities
creep in after we ship code, and most companies don’t
have budgets to remediate or even detect these vulner-
abilities. Developers ship code knowing it has bugs, as
time to market and feature lists trump everything else.
The recourse is the internet, constant beta state, and
quick updates and frequent patches. Documentation is a
soldier missing in action. Books are not something being
written anymore, and it’s all about time to market for
guidance as videos and blog posts. Learning has become
more of a reference.
Pair this with two other facts: products have gotten more
complex and we depend increasingly on computers for
everything, and that well-funded nation state actors have
great incentives to cause damage.
And don’t even get me started with AI-driven develop-
ment where we aren’t even writing code; we’re hoping the
computer will write it for us.
Figure 1: Azure Active Directory redirect URI limitations
Boy, I’m a worry wart, aren’t I? Well, when it comes to
computer security, such shortcuts and speedy develop-
ment will almost always land you in trouble. You need to
understand how security works because your features are
no good if the system isn’t secure.
So I thought it would be a good idea to write an article
highlighting some of the most common mistakes and mis-
understood concepts I’ve seen that cause developers to
write insecure applications. I’ll keep my discussion spe-
cific to Azure Active Directory, but the protocols that are
standard to many of the things I’ll talk about in this ar-
ticle are portable to any identity platform.
Also, it’s worth saying that these are not shortcomings of
Azure Active Directory, but common mistakes that people
make.
With that background, let’s get started.
Redirect URI Pollution
Almost every modern identity protocol depends on redi-
rect URIs. Redirect URIs is a whitelist of URIs where the
identity provider feels safe sharing sensitive information,
be it SAML that may post you back a SAML assertion, or
an OIDC flow that posts back tokens or codes that be
exchanged for tokens. Those tokens are post backs and
are very sensitive. You should treat them with the same
codemag.com
care you’d treat credentials with. In fact, I’d go one step
further: Treat them with greater security than credentials.
Credential leakage can be detected, but if a refresh token
leaks, it’s much harder to detect and could stay valid for
a long time. Although resetting credentials in Azure AD
invalidates your refresh tokens too, you can’t take that as
a guarantee. Similarly, a SAML post back that you don’t
secure can be used to establish a web session on a com-
puter you never intended to establish a session with. And
in this cloud-ready world where all these endpoints are
on the internet, you’ll soon find stolen cookies for sale
on the dark web.
Every respectable modern identity platform puts some
common-sense limitations on redirect URIs. You can see
Azure Active directory’s limitations in Figure 1.
There are good reasons behind each of these limitations.
For instance, requiring HTTPS ensures that the packets are
not sniffable over the network. Also, browser protections
ensure that a site masquerading as another will automati-
cally be detected. Or, for that matter, a man-in-the-middle
sniffer will also be detected. This is, of course, defeatable
if the trusted certificate store of the client computer can
be altered by the attacker. This is a common issue with
certain governments or even organizations where they
push certificates to your computer that can effectively
allow a man-in-the-middle to sniff HTTPS traffic. So you
can’t assume that HTTPS is the final word in security.
Of special mention is the localhost redirect URI. It’s quite
common to use localhost as a redirect URI when develop-
ing locally or for certain categories of apps, specifically
thick client apps that don’t use brokers. The sad real-
ity is that Azure AD does not have a good DevOps story,
and yeah, lecture me as much as you wish about Micro-
soft Graph and the sales pitch. Developers are frequently
forced to develop in a production tenant because that’s
where all the licenses are, and that’s where all the data
resides. If they do set up a separate tenant, it’s quite an
onerous task for them to move their app registration and
all the necessary configuration, including all the users,
permissions, roles, etc. to another tenant. It ends up be-
ing a lot of work writing scripts, relying on third-party
products, etc.
So guess what most developers do? You guessed it. They
develop in production (at least as far as Azure Active Direc-
tory goes), and there’s been a battle waging for the past
thousand years between developer fairies and IT ogres.
Now what URI will a developer use when developing lo-
cally? You guessed it: https://localhost. If you go back
a few years, this used to be http://localhost. Invariably,
this slips into production. The developer either leaves
that redirect URI because they may still want to develop
against the same app registration as production. Or they
simply forget to remove that stray redirect URI.
The problem this causes is that a listener on any com-
puter running on localhost can now accept your tokens,
and oh, those listeners do exist and are hard to detect.
Organizations also try to reduce authentication prompts,
so effectively, you’re SSOing a user into an app with a re-
direct URI to a nefarious listener that can now post your
tokens to the internet. Ouch!
codemag.com
So best practice: Always trim down the redirect URIs to the
bare minimum, and only to ones you trust, and remember
that your security is only as good as the target computer.
Mixing App Concerns
This brings me to my second beef, which is overusing a
single app registration and not fully understanding the
ramifications of your decisions. An obvious improvement
to what I described in the Redirect URI section is for
the developer to have an app registration separate from
the production app registration. Look, I know having a
completely separate development/staging environment
can be impractical when it comes to identity, but having
a separate app registration, secrets, and developer identi-
ties is a quick and easy win.
But this problem of mixing app concerns goes a bit
deeper than that. Not every OIDC flow is equally secure.
The problem is that the flows are designed to offer you
the maximum security any individual platform offers. But
there’s no way a single page application (SPA) can be as
secure as a thick client app. This is simply because the
browser can’t offer the same crypto capabilities that a
mobile app can. Similarly, a mobile app can’t be as secure
as a web app that never shares the tokens to the client
app. The client computer is an untrustable surface.
So the one obvious conclusion that comes out of this is
that you should always use the right OIDC flow for the
right kind of app. The second conclusion that comes out
of this is to offer your users the most secure app choice
you can offer. For instance, if you have a choice between
a SPA doing an OIDC flow to acquire an access token vs.
hosting APIs within the web app and doing an OIDC flow
suited more for web apps, all other things being equal,
lean toward the web app approach.
But this is where things get funny. Earlier, I talked about
IT ogres being onerous while developer fairies try to keep
the users happy. So imagine that Olaf the IT ogre refuses
to create a new app registration for you. But for a particu-
lar scenario, you need to support a web application and a
thick client application. So instead of dealing with Olaf,
you decide to enable public client flows in the same app
as the web app. This can be seen in Figure 2 under the
authentication section of an app registration.
You may be thinking that you’re using thick client applica-
tion OIDC flows and web application flows in the same app
registration. But it’s important to see that you just opened
the gates to also allow device code flow, windows integrated
auth flow, and ROPC flow. None of these are great choices
when it comes to security. Don’t get me wrong, there are sit-
uations where you need them and you have no alternative.
ROPC, for instance, relies on sending the user’s password
and username as a POST request. Device code flow involves
authenticating on a separate computer than where you did
your authentication. Neither of these works well with con-
ditional access policies or device cleanliness. But you just
opened the doors to these less-than-ideal OIDC flows.
What you should have done instead is restrict the less de-
sirable OIDC flows to as low of a consent surface as pos-
sible. And separate them in a new app registration. If Olaf
the IT ogre objects, have him read this article please, ok?
Top Azure Active Directory Mistakes 9
 Figure 2: Enable public client flows
Figure 3: Expiring secrets only please
Figure 4: User assigned managed identity
Manage Client Secrets
App registrations allow for client secrets. Client secrets are
necessary for certain flows, such as client credential flow.
Here you have two choices. Either you can use a client se-
cret that’s a string or you can use a certificate. The string is
no better than a password. Actually, it’s way worse. At least
passwords are typed by the user, so enterprises can detect
if the same password was entered into an unintended place
and immediately revoke your credential. Or hashes of pass-
words can be compared with leaked passwords and most
modern browsers will alert you to compromised passwords.
Client secrets enjoy no such luxury. If they’re out in the
wild, they are out. The client ID and tenant ID are public
info anyway. And all you need to gain an access token via
the client credential flow is the client secret, the client ID,
10 Top Azure Active Directory Mistakes
and the tenant ID. Now you can acquire access tokens for
as long as you desire. What’s worse, if such a client secret
is leaked, there’s no way to get an alert either.
It's for this reason that Microsoft doesn’t allow you to
create non-expiring client secrets from the user interface.
This can be seen in Figure 3. They want you to rotate
these secrets every now and then, although through the
API, you can create non-rotating client secrets.
You may be thinking that rotating secrets is a giant pain.
I’m not going to disagree with you there. But you need
to put in procedures to check for upcoming expirations
and proactively rotate them. Afterall, Microsoft does al-
low you to create more than one client secret, so you can
achieve this rotation without outages.
However, there are a few things I’d like to recommend.
The obvious first recommendation is to have procedures
in place to rotate client secrets proactively. I already
talked about that.
Second, I prefer to use certificates over secrets. Secrets
can leak just like certificates, so certificates aren’t much
better. But the slight advantage here is that when you use
certificates, the protocol doesn’t send the actual certifi-
cate over the wire. This makes them slightly more secure
than a string. Additionally, you can add an extra layer
of check to have a CRL revoke certs immediately if you
detect a leak. Note that Azure AD won’t check for CRL but
your application can.
Third, configure an app instance lock. A common attack
vector isn’t stealing your client secret, but rather it’s add-
ing another secret in addition to the secret you use. When
a new secret is added, especially to a privileged app, you
can keep rotating the existing secret as much as you
wish, and the newly added secret, presumably added by
a bad actor, will continue to work. Using an app instance
property lock, you can effectively lock down an app in-
stance from certain kind of changes, such as credentials.
Fourth, check for logs for any secrets being added. Have
alerts on those cross-referencing the actor that added the
secret. If it’s an automated job, the job should nullify the
alert. If it’s a user making the change, the alert should
surface up to the user or an admin.
Finally, avoid using secrets at all, which is where man-
aged identities come in.
codemag.com
Use Managed Identities
A very wise donkey in a famous movie once said, “What’s
the use of a secret that you can’t tell anyone?” I have a ®
slightly different take on that. The best secret is one that
you don’t know, so you never have to worry about leak-
ing it. This is exactly what managed identity gives you.

Instantly Search
Managed identities are service principles whose credentials
(in this case, certificates) are managed entirely by Azure.
They’re never shared with an app, and they’re never shared

Terabytes
with the user. They remain out of reach of any surface that
could leak them. Additionally, they’re automatically rotated
for you. How often are they rotated? I don’t care. Because I
don’t have to do that rotation and update a number of apps
and inform users when such rotation is occurring.

A managed identity can work on its own, where the ser-

vice principal backing the managed identity can be given
certain permissions. Beyond that, you can acquire access
tokens and call APIs such as Microsoft graph. Because
dtSearch’s document filters support:
it’s a service principal, you’re limited to app-only per- ‡ popular file types
‡ emails with multilevel attachments
missions. Usually, you’d do this by creating a new user-
assigned managed identity from the Azure portal or via
the MS Graph API. This can be seen in Figure 4. ‡ a wide variety of databases
Alternatively, you can also assign an Azure resource a ‡ web data
managed identity. For example, you can have a virtual
machine assume a managed identity. Here, when a pro-
cess running on the virtual machine wishes to reach out
to an API under that managed identity’s identity, it can Over 25 search options including:
ask for an access token for that managed identity, while
the process is running on the computer. Here, you have a ‡ efficient multithreaded search
choice of using a system-assigned managed identity or a
user-assigned managed identity. A system-assigned man-
‡ easy multicolor hit-highlighting
aged identity is cleaned up for you automatically when ‡ forensics options like credit card search
the resource is deleted, and it’s tied to exactly one re-
source. A resource example might be a virtual machine,
an app service, or many other such resources in Azure.

A clear disadvantage of a system-assigned managed iden- Developers:

tity is that you can’t create and pre-configure consent
permissions on the managed identity ahead of time and
‡ SD.s for :indows /inu[ macOS
‡ &ross-platform $3,s cover & -ava
and current .NET
then assign the identity to a resource. Imagine what a
problem this becomes in DevOps scenarios where the re-
source is being upgraded when the upgrade effectively
means delete and reprovision? ‡ )$4s on faceted search granular data
classification $]ure $:S and more
Because managed identities are more “trustable” than
identities whose secrets can leak, the access tokens are
valid for longer too, typically 24 hours.

Additionally, you can use workload identity federation to

Visit dtSearch.com for
configure a user-assigned managed identity or app regis-
tration in Azure AD to trust tokens for an external identity
provider, such as Github, Google Cloud, AWS, or others. ‡ hundreds of reviews and case studies
This is really amazing because this effectively allows you
to use the power of managed identities across tenants ‡ fully-functional enterprise and
and even across clouds. developer evaluations

Protect Your Secrets The Smart Choice for Text

I almost missed mentioning this. Secrets are like plutoni-
um, and, well, as much as I suggest that you use managed
Retrieval® since 1991
dtSearch.com 1-800-IT-FINDS
identities and workload identity federation, you’ll find
situations where you need to manage secrets yourself. In
circumstances like this, you should use a product such as
Azure Key Vault or HashiCorp Vault to store secrets. You

codemag.com Top Azure Active Directory Mistakes 11

 can then use something like managed identity to acquire
the secret at runtime, and either not save it locally, or
save it in a trusted encryption, such as hardware-backed
encryption. Note that products such as Key Vault should
not be used for high IO scenarios. If you have to reach
out to Key Vault every time you need the secret, your app
won’t scale. But it serves the need of storing your creden-
tials safely very well.
Understand Token Validation
SAML has SAML assertions, and OIDC has access tokens,
refresh tokens, and ID tokens. You also have PRTs (prima-
ry refresh tokens), which I like to call a powerful refresh
token, but let’s leave that out of the discussion for now.
The important part here is that in this copy/paste-driven
development world we live in, it’s important for you to
understand how tokens are validated. I’ll leave SAML for
another day because it’s so different; let’s focus on OIDC
for now.
In OIDC, you have three kinds of tokens.
The ID token is what establishes the user’s identity. The
intended audience for this token is your app. Your app re-
ceives this token, validates it, and issues its own mecha-
nism of maintaining the user identity, such as a cookie
for a web session.
The access token is what establishes your ability to call
an API, and it may or may not contain the user’s identity.
The access token is valid for a shorter duration of time,
typically an hour, although it could be more or less, de-
pending upon various factors. The intended audience for
this kind of token is your API.
The refresh token has a much longer duration, intended
to be used to gain new access tokens so the user isn’t
shown an authentication challenge every time the access
token expires. The validity duration of the refresh token
depends on the kind of application you’re writing, and
not every kind of OIDC flow allows for a refresh token.

There are other kinds of tokens, such as auth_codes that

play intermediary roles depending on the kind of flow
you’re using.

Figure 5: The access token header There are a few important things you need to understand
about token validation.

In Azure AD, refresh tokens are opaque. You cannot de-

code them; they’re not intended for you to decode. You
ADVERTISERS INDEX don’t validate them, you don’t decode them, you simply
use them when you need a new access token. It’s up to
Azure AD to validate them and issue you an access token
Advertisers Index using them. Also, Azure AD has the prerogative to revoke
your refresh tokens without informing your app first.
CODE Consulting So don’t rely on application architectures that rely on
www.codemag.com/ai-services 2 refresh tokens never getting invalidated. For instance,
long-running processes under the user’s identity using
CODE Consulting a refresh token is a perfectly valid architecture pattern.
www.codemag.com/copilot 7 That’s what the “offline_access” scope is intended for
CODE Consulting anyway. But build an escape hatch to alert the user if
www.codemag.com/Code 75 the refresh token gets invalidated, so the user can reau-
thorize the offline process, which is basically getting a
CODE Consulting new refresh token with an interactive auth flow.
www.codemag.com/executivebriefing 76
ID Tokens and Access tokens are JWT tokens in Azure AD.
DevIntersection
OIDC does not mandate these to be JWT tokens, and at
www.devintersection.com 38
Advertising Sales: some point, they may not be. For instance, it’s possible
Tammy Ferguson dtSearch that the identity provider (Azure AD) in this case, could
832-717-4445 ext 26
[email protected]
www.dtSearch.com 11 move to encrypted access tokens. Encrypted access to-
kens would be a good improvement because they’re in-
LEAD Technologies
tended for the API, not the app. The API would have
www.leadtools.com 5
the ability to decrypt and decode them. The app, on
the other hand, can’t decrypt them and therefore decode
them. This is because the app has no business read-
ing and unpacking an access token. This is a common
mistake I see, where the app decodes an access token
and makes logic assumptions based on it. You’re setting
yourself up for failure by doing this.
This listing is provided as a courtesy
to our readers and advertisers. Finally, ID tokens are intended for your app. These are
The publisher assumes no responsi- also JWT tokens as of now.
bility for errors or omissions.

12 Top Azure Active Directory Mistakes codemag.com


Figure 6: The JWKS URI output
Both access tokens and ID tokens are intended to be vali-
dated, albeit by different parties, but the validation logic
has a few things in common.
First, the tokens are comprised of three parts: the header,
the body, and the signature.
The header gives you “packet” information. Think of it
as the label on your package. It tells you what kind of
signature algorithm is used, and where to find the keys
to validate the signature. Azure AD has the private key
to sign the access token or ID token. It never shares the
private key and it rotates the public private keypair every
now and then. The public key is available to you at an
anonymous URL. You can use the public key to validate
the signature. In Figure 5, you can see the header for an
access token I just acquired from my tenant.
Of special note is the “alg,” which stands for algorithm,
and the “kid” or key ID claim. The idea is that Azure AD
is telling you that it used RS256 to sign the token, and
you can find the keyID from the JWKS URI, which resides
at the following URL:
https://login.microsoftonline.com/
<tenant_id>/discovery/keys
You can see the key ID for my app in Figure 6. I got this
as a simple GET request to the JWKS URI.
To validate the signature of the token, graph the signa-
ture key from the JWKS URI. This is where I should men-
tion one of the biggest issues I see so many applications
make a mistake in.
Azure AD will rotate the key every now and then. You’re
supposed to follow the following pattern:
1. First, check if you have the signing key. If you don’t,
ask Azure AD for it and cache the key.
2. Now, use the cached key to check the signature of
the token.
3. If the signature fails, re-query Azure AD for a new
key, just in case the key has changed.
codemag.com
4. If the key has changed, recheck the signature with
the new key. And yes, cache the new key.
5. If the key hasn’t changed, fail the validation of sig-
nature.
The problem is that OIDC doesn‘t dictate this key caching
and key rotation. There are so many OIDC compliant SDKs,
and even more hand-written validations that fail to fol-
low this pattern. I’m serious, if I had a quarter for every
time I saw this problem, I’d be writing this article from
a private jet in a jacuzzi surrounded by, well, maybe the
pilot. Anyway, I don’t have a quarter for every time I see
this problem, so, back to reality.
Microsoft SDKs, also known as MSALs, will perform this
caching logic. But many third-party libraries don’t. Let’s
be honest: Many MSALs don’t have token validation logic,
leaving developers to figure this out on their own.
And this is where we’re done talking about signature valida-
tion issues. But token validation has other common problems.
When you validate a token in Azure AD, you must vali-
date, at the bare minimum, the audience and the tenant,
and then beyond that, per your authorization logic, the
subject and other claims such as roles and scopes.
What would happen if you didn’t validate the tenant?
Well, then you could just set up another Azure AD tenant
and set up the same audience, and pass your validation.
Hopefully you’re validating the subclaim (subject), but if
you weren’t, I’m in. Yay!
How confident are you that the copy/paste code from
the internet that you used is indeed performing all this
validation, and caching the signature validation cert? Are
you sure? Better double check.
Abusing Claims
OIDC defines a bare minimum standard. It allows you to
add claims that the standard doesn’t define but doesn’t
prevent you from adding. There are a few problems here.
First, this gives you the leeway to stray away from the
standard. I suggest that you don’t stray away from the
standard. Do the bare minimum validation that OIDC re-
quires, and then add more on top as necessary and very
judiciously.
Second, don’t use tokens as a database. Tokens are sup-
posed to be validated at every authorization step. The
larger the token, the worse your performance will be. In
fact, in many situations, it will break your application
logic. Many platforms or even SDKs will cap the token
size. Browsers are especially notorious for this. I’ve seen
well known applications (that shall remain unnamed)
with ridiculously low limits like 256 characters. My South
Indian friends have very long last names, and I have seen
even the bare minimum token go beyond the 256 char-
acter limit.
Additionally, Azure AD has some common-sense protec-
tions built in. For instance, if you’re a member of groups,
and you’re a member of many groups, you can config-
ure your application to issue the groups claim. But you
Top Azure Active Directory Mistakes 13

SPONSORED SIDEBAR:
Ready to Modernize
a Legacy App?
Need advice on migrating
yesterday’s legacy
applications to today’s
modern platforms? Take
advantage of CODE
Consulting’s years of
experience and contact us
today to schedule a free
consulting call to discuss your
[email protected]
options. No strings.
No commitment.
Nothing to buy.
For more information,
visit www.codemag.com/
consulting or email us at
[email protected]
. tections. Apps created after June 2023 that issue this
14 Top Azure Active Directory Mistakes
can’t really rely on this claim. Beyond a certain number
of groups, you get a group overage claim that basically
says, “hey the token got too large, but you can query MS
Graph to get the groups.” Well, if the reliable way to get
groups is to call MS Graph anyway, why didn’t I just call
MS Graph in the first place? That’s what you should have
done. Additionally, when you start using dynamic groups
or nested groups, you start running into reliability and
performance issues. TLDR: Don’t use the groups claim; it
works nicely for simple demos.
Finally, I must talk about claims transformation, but let
me talk about that in the light of immutable claims.
Immutable Claims
Certain IdPs, including Azure AD, allow you to tweak the
values of claims. Luckily, Azure AD won’t let you do so
with any claim. Claims that you cannot and should not
change are called immutable claims. Those are the claims
that you should base the user identity on. This is the
NameID claim in SAML (which is inside the subject claim)
or just the subclaim in OIDC.
Azure AD tries its best to keep you from shooting yourself
in the foot. But it’s up to you, the application author,
to understand these nuances and not make mistakes. For
instance, a common mistake is to base the user’s identity
on an “email” claim. Why? Because UPN and email look
so similar, often the same. Why is basing the user’s iden-
tity on email a bad idea? Because the email address can
change, just like the user’s name can change. Essentially,
I could change my email to
and I’m now the CEO of Microsoft. I hope you were vali-
dating the tenant ID claim. But what if this was an in-
sider attack? Changing one’s email is not something that
requires a high privilege.
Specifically for this attack vector, Microsoft now has pro-
table companies, with millions of customers, and that
claim will get a blank value that the admin can change
the behavior of. However, this doesn’t affect existing
apps that are already making this mistake. And yes, if you
wish to shoot yourself in the foot going forward, it won’t
stop you from that either.
Long story short, always rely on immutable claims in
Azure AD to establish user identity.
Understanding Trust
Azure AD has a concept of an external identity provider
where Azure AD can delegate identity establishment to an
external identity provider. There’s also a similar concept
called federation. And another loosely similar concept of
“guest accounts” where your Azure AD tenant allows an
external visitor’s account, whose identity is established
by another Azure AD tenant.
In all of these situations, you’re trusting an identity pro-
vider that isn’t under your administrator’s influence.
You may have done everything right, rotating secrets,
validating tokens properly, even checking for immutable
claims, and none of those will keep you safe if the exter-
nal identity provider you trust isn’t trustable.
Allow me to explain. Let’s say I allow guest accounts
from someshadyorg.com, and their CEO happens to be so-
meniceguy. Because their identity provider is untrustable,
they can effectively send me an immutable claim value
for someshadyguy that effectively asserts that some-
shadyguy is someniceguy. There’s nothing my Azure AD
tenant or app can do to prove it otherwise, and I just
have to “trust” this other org.
How do you guard against such problems? Well, the obvi-
ous answer is to establish trust with audits and reviews,
and put safeguards in place. In Azure AD, this is as sim-
ple as working with verified tenants, validating tenant
ID claims, and communicating with your customers what
their Azure AD might be federated/delegated to trust.
Additionally, you can establish a limited blast radius in
case of a breach. Guard like a hawk what guest accounts
can and can’t do. Establish alerts and audits, and use ac-
cess packages and access reviews to trim the access down
to the bare minimum. In Azure AD, use conditional access
policies to establish location lockdown, device health,
and authentication strength.
Summary
I started this article with an alarmist approach. I don’t
regret that. In the furious and aggressive pace of inno-
vation, I worry that we, as an industry, are collectively
underestimating the importance of security. Every other
day, I see some news article of a breach of some major
organization and leaking data.
I wish I could say that these organizations have learned
their lesson, but I see the same org get targeted again,
and no, they didn’t learn a darn thing. I’m so tempted to
name names here, but I’d rather not get in trouble.
Let me just say, though, that these are some very repu-
you’re probably a customer of some. When this informa-
tion is leaked, guess what? The cat is out of the bag.
Large organizations are woefully slow. They fight over
budgets while their secrets leak, they clamor to add fea-
tures under ever-tightening deadlines, and guess what
gets the cut? Security, because it doesn’t affect the next
quarter.
Can we please stop doing this nonsense as an industry
and give security the importance it deserves?
All right, time for me to get off my soapbox. Stay safe and
double check your apps.
Sahil Malik
codemag.com

Building Web APIs Using Node.js
and Express: Part 3
In the last two parts of this article series (in the May/June and July/August 2023 issues of CODE Magazine), you created a web
server using Node.js, Express, and JavaScript. You built a series of API routes to retrieve an array of products and a single product,
searched for a set of products, and added, edited, and deleted products. The product data was retrieved from a connection to
a SQL Server database. In this article, part three of the se-
ries, you’ll build a website using Node.js and Express to serve
web pages. You’re going to see how to use a templating en-
gine, Mustache, to create dynamic web pages from the data
retrieved from API calls. To communicate from your website
to your Web API server, you must configure cross-domain
resource sharing (CORS). You’ll see how to enable CORS in
your Web API project. You’ll then build a set of search, add,
edit, and delete pages that make calls to your Web APIs.
Create a Node.js Web Project Using
VS Code
Like my last two articles, this article is designed for you
to follow along. You learn the most by doing, so please
feel free to join me to create a website together. You only
need a few tools, most of which you probably already
have on your computer. You need to install Node.js and
VS Code on your computer. You also need access to a SQL
Server, so install one on your computer or use SQL Server
Express. Everything else is downloaded as you go along.
For more information about installing these tools, please
go back and review the instructions in Part 1 of this arti-
cle (https://www.codemag.com/Article/2305031/Build-
ing-Web-APIs-Using-Node.js-and-Express-Part-1).
Let's get started creating this new website using Node.js
and Express. Open a Command Prompt, the Windows Pow-
erShell app, or some other terminal as appropriate for your
computer and navigate to where you normally place your
Figure 1: Answer a series of questions to create a
package.json file for your project.
codemag.com
ONLINE QUICK ID 2309031
development projects. You can even open VS Code and use
the terminal window in there. For this article, I’m using my
folder D:\Samples to create the new Node.js project. After
opening a command prompt within the development folder,
create a new folder under that folder and navigate to that
folder using the following two commands.
mkdir AdvWorks
Icd AdvWorks
Paul D. Sheriff
Open the Visual Studio Code editor in this new folder us-
ing the following command. Note that this is the word
http://www.pdsa.com
code followed by a space and a period (.). Paul has been working
in the IT industry since
code .
1985. In that time, he has
successfully assisted hun-
dreds of companies archi-
From the menu system in VS Code, open a new terminal by
tect software applications
selecting Terminal > New Terminal. Type in the following to solve their toughest
command in the terminal window to start building a new business problems. Paul
JavaScript project. has been a teacher and
mentor through various
npm init mediums such as video
courses, blogs, articles
Within the terminal window, it asks for some information and speaking engage-
to describe this project. If you wish to accept the default ments at user groups and
answers, press the Enter key after each prompt; other- conferences around the
wise enter the appropriate information for your project, world. Paul has multiple
as shown in Figure 1. At the end, answer Yes to save a courses in the www.plural-
file called package.json in your new project folder. The sight.com library (https://
package.json file contains meta-data about your project bit.ly/3gvXgvj) and on
to help npm run the scripts in the project, install de- Udemy.com (https://bit.
pendencies, and identify the initial JavaScript file used ly/3WOK8kX) on topics
to start the application. The package.json file contains ranging from C#, LINQ,
meta-data about your project to help npm run the scripts JavaScript, Angular, MVC,
in the project, install dependencies, and identify the ini- WPF, XML, jQuery, and
Bootstrap. Contact Paul at
tial JavaScript file used to start the application.
[email protected].
Install Express and Nodemon
You’re now ready to install any additional utilities you
want to use in your application. You’re going to use the
Express framework for creating the web server, so install
that now. From within the terminal window, install the
Express framework using the following command:
npm install express
You’re also going to use the nodemon utility to automati-
cally detect changes to any files in your project and restart
your web server when appropriate. Install nodemon by us-
ing the following command within the terminal window:
npm install nodemon
Building Web APIs Using Node.js and Express: Part 3 15
 Modify the package.json File property under the Scripts property, as shown in the code
Open the package.json file and you should now see Ex- snippet below.
press and nodemon listed under the Dependencies prop-
erty. Also, notice that there’s a Main property that lists "scripts": {
index.js as its value. This is the starting JavaScript file "start": "nodemon index.js",
for the application. Because you want to use nodemon "test": "echo \"Error: no test
to watch for any changes in your js files, add a Start VSHFLÀHG? H[LW
},

Listing 1: In the index.js file is where you serve up the static HTML home page. Be sure to save the changes to the package.json file at
// Load the express module this point.
const express = require('express');
// Create an instance of express
const app = express(); Create Website Starting Point
// Create an instance of a Router
const router = express.Router(); Whether you’re creating a Web API project or a website
// Specify the port to use for this server project, the starting code for Express is very similar. Just
const port = 3010; like before, you need to create a file named index.js as
the starting point. Open the index.js file and add the code
&RQÀJXUHORFDWLRQ V RIVWDWLF+70/ÀOHV
app.use(express.static('public'));
shown in Listing 1. There are only a few differences in
this code from the Web API project created in the first
/** part of this article series as you will notice as you build
* GET the website in this article. First, set the port number to a
 #UHWXUQVLQGH[KWPOÀOH different value from that of your Web API project. Invoke
*/
app.get('/', (req, res, next) => { the method app.use(express.static('public')) to set the
res.status(200).send(); location of where your static HTML files are located. Within
}); the app.get() function, call the send() function with no
parameters to send the HTML to the requesting browser.
// Create web server to listen
RQWKHVSHFLÀHGSRUW
let server = app.listen(port, function () { How does the Express server know to use a file called index.
console.log(`AdvWorks web server is running html from the app.get("/" …) call? In the line of code
on http://localhost:${port}.`); app.use(express.static('public')), the express.static()
});
function assumes that a file named index.html is within
the public folder. Override this file name, if you wish, by
passing in a second parameter to set the index property to
the name of HTML file you wish to use. For example, if you
Listing 2: Create the index HTML page. rename the index.html file in the public folder to home.
<!DOCTYPE html> html, use the following code to use that file name:
<html>
<head> app.use(express.static('public',
<title>Product Maintenance</title>
<link rel="icon" type="image/x-icon" {
href="#"> "index": "home.html"
<style> }
.text-center { ));
text-align: center
}
</style> Create the HTML Home Page
</head> Because you declared your intention to use a folder named
public in the express.static('public') call, create a folder
<body>
<div class="text-center">
named public in your project and add a file named index.
<h1>Product Maintenance</h1> html. Add the code shown in Listing 2 to this new index.
html file. Make sure you put the <script> tag that refer-
<button onclick="getAllProducts();"> ences the googleapi.com all on one line. I had to break
Get All Products the line because of formatting restrictions in this article.
</button>
</div>
Create JavaScript File to Make API Call
<div class="text-center"> At the bottom of the index.html file, there are two
<textarea rows="10" cols="80" <script> tags. The first tag references the ajax library
id="products">
</textarea> from Google to help make API calls. The second <script>
</div> tag references a local file called index.js into which you’re
<script going to write the code to make the API calls to the Ad-
src="https://ajax.googleapis.com vWorksAPI project you created in the previous articles.
/ajax/libs/jquery/3.6.3
/jquery.min.js">
</script> On the index.html file, you can see a button that calls
<script src="./scripts/index.js"> a function named getAllProducts(). Create a file named
</script> index.js file in the public folder, and add the getAll-
</body>
</html>
Products() function, as shown in Listing 3. The code in
the getAllProducts() function should be very familiar to

16 Building Web APIs Using Node.js and Express: Part 3 codemag.com

anyone that who’s called APIs using jQuery. The asynchro- Listing 3: Create the function to make the API call from your index.html page.
nous getJSON() method is passed in two parameters: the
'use strict';
URL where the API call is located and a callback function
if the call is successful. The getJSON() method returns a const url = 'http://localhost:3000/api/product';
promise, so you can chain the .done() and .fail() methods
to the call to respond if the code succeeds or fails. If data function getAllProducts() {
is returned from the API call, that data is passed to the $.getJSON(url, function (response) {
$('#products').val(JSON.stringify(response));
anonymous function as the parameter named response. })
For now, you’re just going to place the stringified version .done(function () {
of the JSON data into the <textarea> named products. console.log("Success");
})
.fail(function (error) {
Try It Out $('#products').val(
Save the changes you’ve made to all the files in your "Can't retrieve Products.
project and start the website in the terminal window of Check Console Window " +
your editor by typing in npm start. Go to your browser JSON.stringify(error));
console.error(error);
and navigate to http://localhost:3010. You should see });
the HTML (Figure 2) from the index.html file appear on }
the screen. Click on the Get All Products button and
you should receive the message Can't retrieve Products.
Check Console Window. Open the F12 developer tools on
your browser and check the Console tab. You should see a
CORS error that looks like Figure 2.

Add CORS to the REST API Project

CORS stands for cross-origin resource sharing and is an
HTTP header mechanism that allows a web server to indi-
cate from which domains it will accept calls. By default,
a server blocks all calls that don’t originate from pages
or callers with their own domain. When you add CORS to
your Web API project, you specify all domains or only spe-
cific domains from which to accept remote calls. You can
even specify which verbs (GET, POST, PUT, DELETE, etc.)
to accept. Go back to the AdvWorksAPI project and open
a terminal window in your editor. Type in the following
command to install the CORS package.

npm install cors

Add a new file to the helpers folder named cors.js. Add

the code shown in Listing 4 to this new file. There is a
single function named configure() in this corsHelper ob-
ject. I’ve put some different ways you can configure CORS
within the function that you can refer to later. The first Figure 2: You should receive a CORS error when first attempting to make a call to your
commented line is app.use(cors()). If you use this call, API project.
your server will allow calls from all domains. If you create
a JSON Options object, you can add different properties
to specify domains and methods that your server will al-
low.

You now need to call this configure() method from your

index.js file so you can register CORS functionality within
your Web API project. Open the index.js file and add the
following code before you mount the routes:

&RQÀJXUH&256
const corsHelper = require('./helpers/cors');
FRUV+HOSHUFRQÀJXUH DSS 

// Mount routes from modules

router.use('/product',
require('./routes/product'));

Try It Out
Save all changes made to your AdvWorksAPI project.
Assuming that both projects are running, navigate to Figure 3: You should get an array of product data if everything worked correctly.

codemag.com Building Web APIs Using Node.js and Express: Part 3 17

 Listing 4: Add a CORS helper object to initialize from what domains your server will allow calls.
// Load CORS module // Enable CORS for only one domain
const cors = require('cors'); let options = {
"origin": "http://localhost:3010"
/** };
 &256&RQÀJXUDWLRQ+HOSHU
* @reference // Enable CORS for only one domain
* https://expressjs.com/en // and only certain verbs
* /resources/middleware/cors.html // let options = {
*/ // "origin": "http://localhost:3010",
let corsHelper = {}; // "methods": "GET,POST"
// };
/**
&RQÀJXUH&256XVDJH // Pass options to cors() method
*/ app.use(cors(options));
FRUV+HOSHUFRQÀJXUH function (app) { }
// Enable CORS for all requests
// app.use(cors()); module.exports = corsHelper;

Listing 5: Create a hard-coded product page. http://localhost:3010 and click on the Get All Products
<!DOCTYPE html> button. If you’ve done everything correctly, you should
<html> see the product array appear in the text area, as shown
<head> in Figure 3.
<title>Product Maintenance</title>
</head>
Did You Get an Error?
<body> If you get an error message about not being able to make
<h1>Product List</h1> a connection, make sure that TCP/IP is enabled for SQL
Server on your computer. By default, it’s usually turned
<select size=10>
<option id="345">HL Road Frame - Red, 58</option>
off. Open the Computer Management app (Figure 4) in
<option id="346">Sport-100 Helmet, Red</option> Windows and expand the SQL Server Configuration Man-
<option id="348">Mountain Bike Socks, M</option> ager node, then expand the Protocols for MSSQLSERVER
</select> (or Protocols for SQLExpress if using SQLEXPRESS). Dou-
</body> ble-click on the TCP/IP protocol and in the dialog box,
</html>
change the status to Enabled.

Getting Started with Templating

In the simple example you just coded, the product data is
simply placed into an HTML text area. Most likely, you’re
going to want to display the products in an HTML table
or a drop-down list. You can build the table or drop-down
list by coding everything in JavaScript, but doing so can
get very messy. If you’ve ever used ASP.NET MVC, you
have a server-side templating language, Razor, to mix
HTML and code to build tables, drop-downs, and forms
dynamically.

There are several client-side templating engines that

work similarly to the server-side templating languages.
The most common client-side templating engines are EJS,
Mustache, Handlebars, and Pug. These templating engines
help you build web pages dynamically on the client-side.
I’m going to introduce you to Mustache in this article
because it’s the one that I’ve used many times over the
years. Once you learn one of these templating engines,
you’ll find that most of them look the same.

Mustache, and most of the templating engines, want you

Figure 4: Turn on the TCP/IP protocol for SQL Server if you get errors attempting to connect.
to create a folder named views. Create the views folder
in your AdvWorks project, and within that folder, add a
new file named product.mustache. Into this new file,
place the HTML shown in Listing 5. For this first example,
you’re just going to use some hard-coded data. Eventu-
ally, you’ll replace this hard-coded data with data from a
Web API call, but first, let's learn how to call this page
using Mustache.

18 Building Web APIs Using Node.js and Express: Part 3 codemag.com

Create a Route to Display the Mustache Page
As you did in the first article in this series, you’re going
to create modules to hold the different pieces of func-
tionality for your web application. Add a new folder called
routes and add a new file named product.js in this folder.
Open the routes\product.js file add the code shown be-
low:
// Create an instance of a Router
const router = require('express').Router();
// GET /product Route
router.get('/', (req, res, next) => {
// Use the view engine to render the page
res.render('product.mustache', {});
});
Install Mustache Template VS Code Extension
If you’re using VS Code, you should install the Mustache
Template – Snippets and Autocomplete extension to
help you format and work with Mustache within VS Code.
Click on the Extensions tab in VS Code and search for
"Mustache". Install this extension, as shown in Figure 5.
References for Mustache
There’s a lot more to Mustache than I’m covering in this
article. To learn more about the Mustache templating en-
gine, I’ve listed a few links that provide you with more
information:

module.exports = router;

In this router.get() function, you call the render() func-

tion on the response (res) object, passing in the value
'product ' which corresponds to the file product.mus-
tache located in the views folder. The second parameter
to res.render() is the data that is to be used on the mus-
tache file to create the page. There’s no data for this page
yet, so just pass an empty JSON object.

How does Express know to use the file named product.
mustache and not product.html or some other file? The
answer is that it doesn't yet, but it will as soon as you
download Mustache and register it as your view engine.
Let's do that next.
Add Mustache to Your Project
Add the mustache templating engine to your AdvWorks
project by submitting the following command in the ter-
minal window.
npm install mustache-express
Open the index.js file and add the code shown in Listing 6
after the definition of the port constant. In this code, you
load the Mustache module, tell Express what view engine
you’re using with the app.set() function, and then register
the engine using the app.engine() function. You now use
the router.use() function to create the product route with
the routes defined in your routes\product.js file.
Figure 5: Install the Mustache template extension to
make it easier to work with Mustache files.
Listing 6: Configure the mustache-express package as the view engine for this website.
&RQÀJXUH0XVWDFKH7HPSODWLQJ(QJLQH
let mustacheExpress =
require('mustache-express');
// The following is the default
// change the directory name if you wish
//app.set('views', `${__dirname}/views`);
// Tell express the view engine you are using
app.set('view engine', 'mustache');
// Set the engine to Mustache
app.engine('mustache', mustacheExpress());
// Mount routes from modules
router.use('/product',
require('./routes/product'));
&RQÀJXUHURXWHUVRDOOURXWHV
KDYHQRSUHÀ[
app.use('/', router);

Remember how you use the tool nodemon to restart the

node application if a file changes? Well, because you’re
now using .html, and .mustache files, you need to inform Listing 7: Add some data to send to the Mustache page.
nodemon to monitor those files as well. Open the pack- res.render('product',
ages.json file and modify the Start property so it looks {
like the code shown below. The -e option passes a list "data": [
{
of file extensions to the nodemon utility to monitor for "productID": 354,
changes. This is a comma-separated list of extensions. Do "name": "Long-Sleeve Logo Jersey, L"
not put any spaces in between each. A space is what sep- },
arates the extensions from the file to start with, namely, {
"productID": 356,
index.js. "name": "HL Road Frame - Red, 62",
},
"scripts": { {
"start": "productID": 358,
"name": "HL Road Frame - Red, 48",
"nodemon -e mustache,js,html,json index.js", }
"test": HFKR?(UURUQRWHVWVSHFLÀHG? ]
 H[LW }
}, );

codemag.com Building Web APIs Using Node.js and Express: Part 3 19

 • https://github.com/janl/mustache.js/
• https://mustache.github.io/mustache.5.html
• https://drewword.medium.com/express-mustache-
quick-start-36c3421af91
Try It Out
Save all the changes made to the files in your project and
restart the AdvWorks project. Type in the query http://local-
host:3010/product and you should now see the HTML page
with a list of hard-coded product data in a drop-down list.
Feed Data to the Mustache Page
Open the routes\product.js file replace the line of code
res.render('product', {}) with the code shown in Listing
7. The second parameter to the res.render() method is
now a hard-coded set of product data to be used to fill in
the data you hard-coded in the <select> element. Eventu-
ally, you’re going to replace this code with a call to the
Web API, but let's first learn how to use the Mustache
templating engine with hard-coded data.
The second parameter passed to res.render() is an un-
named JSON object. Add a property to this object called
data that’s an array of product objects. The array in data
is what you’re going to tell Mustache to use to iterate
over, and create each <option> in the <select> list. Open
the views\product.mustache file and replace all the
hard-coded <option> elements with the following code:
<select size=10>
{{#data}}
<option id="{{productID}}">
{{name}}
</option>
{{/data}}
</select>
This new code you’ve entered contains Mustache tokens.
These tokens are variable names that either represent a
collection of data {{#data}}, or a single property from
within the array of objects such as {{productID}} and
{{name}}. These tokens are replaced with the data from
the object you passed to the second parameter of the res.
render() function.
The token {{#data}} says to iterate over the array of
product objects contained in the data property. For each
product object, emit all the HTML within the starting
{{#data}} token and the closing {{/data}} token. While
iterating through each, replace each property within the
tokens ({{productID}}, for example) with the data from
that property in the product object.
Try It Out
Save all the changes to the files in your AdvWorks project,
go to your browser, and refresh the page at http://local-
host:3010/product. You should see a different set of prod-
ucts appear in your HTML list. These are now the products
coming from the hard-coded product array in your router.
Using Partial Pages
A great feature of Mustache is that it allows you to break
your HTML pages up into smaller chunks. This feature is
called partial pages and is very similar to the way partial
20 Building Web APIs Using Node.js and Express: Part 3
pages in ASP.NET Razor works. To illustrate, let's take the
part of the product page that creates the list of products
and move that off into a separate file. Open the views\
product.mustache file and cut to the clipboard the entire
<select>…</select> element. Where that code used to
be, replace it with {{> _productList}}, as shown in the
following code snippet:
<!DOCTYPE html>
<html>
<head>
<title>Product Maintenance</title>
</head>
<body>
<h1>Product List</h1>
{{> _productList}}
</body>
</html>
This mustache token {{> …}} tells Mustache to locate
the file named after the greater than sign. In the code
above, that means to look for a file named _productList.
mustache and insert the contents at that file into this
location in the product.mustache file. Add a new file in
the views folder named _productList.mustache and add
the code shown below.
<select size=10>
{{#data}}
<option id="{{productID}}">
{{name}}
</option>
{{/data}}
</select>
Try It Out
Save all the changes you made to your project files. Open
your browser and refresh the page, and you should see
the exact same page you did before. The difference is
that you used two Mustache files to accomplish the same
thing. You’re going to see where this comes in handy as
you work your way through this article.
Create a Table of Products
Open the routes\product.js file and add more properties
to each of the product objects in the array, as shown
in Listing 8. This provides better data to display in the
_productList partial page. Now that you have more prop-
erties for each product object, an HTML table is more ap-
propriate for displaying that data. Open the views\_pro-
ductList.mustache file and replace the entire contents of
the file with the HTML shown in Listing 9.
Let's add a little bit of styling to the table. Open the
views\product.mustache file and within the <head> ele-
ment, add the following styles.
<style>
table, th, td {
border: 1px solid;
border-collapse: collapse;
}
th, td {
codemag.com
 Listing 8: Create a route to send some data to a Mustache page.
res.render('product', "standardCost": 13.0800,
{ "listPrice": 34.9900,
"data": [ PRGLÀHG'DWH: "2004-03-11"
{ },
"productID": 345, {
"name": "HL Road Frame - Red, 58", "productID": 347,
"productNumber": "FR-R92R-58", "name": "Sport-100 Helmet, Black",
"color": "Red", "productNumber": "HL-U509",
"standardCost": 1059.3100, "color": "Black",
"listPrice": 1500.0000, "standardCost": 13.0863,
PRGLÀHG'DWH: "2019-09-11" "listPrice": 34.9900,
}, PRGLÀHG'DWH: "2004-03-11"
{ }
"productID": 346, ]
"name": "Sport-100 Helmet, Red", }
"productNumber": "HL-U509-R", );
"color": "Red",

padding: 1em; Listing 9: Add an HTML file with some templating in it to render the product data.
text-align: left; <table>
} <thead>
tr:nth-child(even) { <tr>
background-color: #f2f2f2; <th>Product ID</th>
<th>Product Name</th>
} <th>Product Number</th>
.text-end { <th>Color</th>
text-align: right; <th class="text-end">Cost</th>
} <th class="text-end">Price</th>
</tr>
</style>
</thead>
<tbody>
{{#data}}
Try It Out <tr>
Save all the changes you have made to the files in your <td>{{productID}}</td>
<td>{{name}}</td>
AdvWorks project. Go to your browser and refresh the <td>{{productNumber}}</td>
page at http://localhost:3010/product. You should now <td>{{color}}</td>
see a page with the product data in a nicely formatted <td class="text-end">{{standardCost}}</td>
table, as shown in Figure 6. <td class="text-end">{{listPrice}}</td>
</tr>
{{/data}}
</tbody>
Formatting Columns </table>
In the HTML table, you can see that the standard cost and
the list price fields are both right-justified. Because each
of these values are dollar amounts, they should be format-
ted as currency values. Mustache is doing the rendering of
the data via their tokens {{ and }}. Within these tokens,
you’re only allowed to use properties or functions that are
attached to the object passed as the second parameter to
the res.render() function. This means you need to add a
couple of properties to that object to render the cost and
the price as currency values. Open the routes\product.js
file and add two new properties before (or after) the data
property within the second parameter passed to the res.
render() function, as shown in Listing 10.

Open the views\_productList.mustache file and change

the last two columns that contain the {{standardCost}}
and the {{listPrice}} tokens to the following code:

<td class="text-end">
{{costAsCurrency}}
</td> Figure 6: A table can be built using the Mustache templating engine.
<td class="text-end">
{{priceAsCurrency}}
</td> the this keyword to get the standardCost property from
the current row being processed. It uses the toLocale-
As Mustache processes each row in the array of product String() method on the Number data type in JavaScript
objects, it calls the costAsCurrency function which uses to convert the value to a U.S. currency format. It also

codemag.com Building Web APIs Using Node.js and Express: Part 3 21

 calls the priceAsCurrency function, which uses the this References for tiny-json-http
keyword to get the listPrice property from the current There is much more to the tiny-json-http package than
row being processed and converts that to a U.S. currency I’m covering in this article. Here are some references if
format as well. you want to learn more about tiny-json-http:

• https://www.npmjs.com/package/tiny-json-http
Another Method to Make API Calls • https://snyk.io/advisor/npm-package/tiny-json-
Instead of using the hard-coded data you put into the http/functions/tiny-json-http.post
route, let's make a call to the Web API to retrieve the • https://github.com/brianleroux/tiny-json-http
product data from SQL Server. There are many tools, such
as the Google APIs used earlier, that allow you to make Add an HTTP Call to the Product Route
Web API calls within an Express application. I like us- Open the routes\product.js file and replace the entire
ing the tiny-json-http package as it has a very simple contents with the code shown in Listing 11. The first
syntax. Within your AdvWorks project, open a terminal line of code still sets up the router from express. Next,
window and install this package by typing in the follow- load the tiny-json-http module so you can use it with-
ing command: in this module. Create a constant that has the URL for
making the calls to the Web API project you created.
npm install tiny-json-http Within the router.get() function, wrap the call to your
Web API within a try…catch block. Call tiny.get() pass-
ing in a JSON object with the url property set to the
Listing 10: Add two properties to retrieve numbers are currency values. url constant. The response object that’s returned has a
res.render('product', { data property within the body that contains the array
"costAsCurrency": function () { of product objects.
return new Number(this.standardCost)
.toLocaleString("en-US", In this version of the res.render() function, the second
{ "style": "currency",
"currency": "USD" }); parameter has four properties on this object: isListVis-
}, ible, data, costAsCurrency, and priceAsCurrency. On the
"priceAsCurrency": function () { product.mustache page (Listing 12) you’re going to use
return new Number(this.listPrice) the {{#isListVisible}} token that says if this variable is
.toLocaleString("en-US",
{ "style": "currency", a true value, then display whatever is contained within
"currency": "USD" }); this token and its closing token {{/isListVisible}}. In this
}, case, you display the HTML table in the _productList.mus-
"data": [ tache file.
{
"productID": 345,
"name": "HL Road Frame - Red, 58", {{#isListVisible}}
"productNumber": "FR-R92R-58", {{> _productList}}
"color": "Red",
"standardCost": 1059.3100, {{/isListVisible}}
"listPrice": 1500.0000,
PRGLÀHG'DWH: "2019-09-11"
}, Make a Nicer Looking Product List Page
// REST OF THE OBJECTS HERE Open the views\product.mustache file and replace the
entire contents with the code shown in Listing 12. This
] HTML is like the code you wrote before, only you’re now
} adding the Bootstrap 5.x CSS framework so you can take
advantage of all the nice CSS classes available in this

Listing 11: Call the Web API using the tiny JSON HTTP package.
// Create an instance of a Router "data": data,
const router = require('express').Router(); "costAsCurrency": function () {
return new Number(this.standardCost)
// Load tiny-json-http module .toLocaleString("en-US",
const tiny = require('tiny-json-http'); { "style": "currency",
"currency": "USD" });
// Create URL for Web API calls },
const url = 'http://localhost:3000/api/product'; "priceAsCurrency": function () {
return new Number(this.listPrice)
// GET /product .toLocaleString("en-US",
router.get('/', async (req, res, next) => { { "style": "currency",
try { "currency": "USD" });
// Request data from Web API }
let response = await tiny.get({ }
"url": url );
}); } catch (err) {
// Get data from response next(err);
let data = response.body.data; }
// Render the page });
res.render('product',
{ module.exports = router;
"isListVisible": true,

22 Building Web APIs Using Node.js and Express: Part 3 codemag.com

 Listing 12: Create a main page for display product data.
<!DOCTYPE html> <div class="container">
<html> {{#isListVisible}}
<head> {{> _productList}}
<meta charset="utf-8"> {{/isListVisible}}
<meta name="viewport" </div>
content="width=device-width,
initial-scale=1"> <script src="https://cdn.jsdelivr.net
<title>{{title}}</title> /npm/[email protected]/dist
<link href="https://cdn.jsdelivr.net /js/bootstrap.bundle.min.js"
/npm/[email protected]/dist/css integrity="sha384-kenU1KFdBIe4zVF0s0G1M
/bootstrap.min.css" rel="stylesheet" 5b4hcpxyD9F7jL+jjXkk+Q2h455rYXK
integrity="sha384-rbsA2VBKQhggwzxH7pPCaAq /7HAuoJl+0I4"
O46MgnOM80zW1RWuH61DGLwZJEdK2Kadq2F9CUG65" crossorigin="anonymous"></script>
crossorigin="anonymous"> </body>
</head> </html>

<body>

Listing 13: Add HTML to allow the user to input some search criteria.
<form class="mt-4" Greater Than Price
action="/product/search" method="get"> </label>
<div class="card"> <input type="text"
<div class="card-header bg-primary id="searchListPrice"
text-light"> name="searchListPrice"
<h5 class="card-title"> class="form-control"
Search for Products value="{{search.listPrice}}" />
</h5> </div>
</div> </div>
<div class="card-body"> <div class="card-footer bg-primary
<div class="form-group"> text-light">
<label for="searchName"> <button class="btn btn-success">
Product Name (or partial) Search
</label> </button>
<input type="text" <a href="/product"
id="searchName" class="btn btn-secondary">
name="searchName" Reset
class="form-control" </a>
value="{{search.name}}" /> </div>
</div> </div>
<div class="form-group"> </form>
<label for="searchListPrice">

framework. Due to publishing constraints of this maga- Try It Out

zine, I had to break the values in the attributes of the
<link> and <script> elements. Please make sure these are
all on one line when you put them into your file.
Open the views\_productList.mustache file and at the
top of the file, add the header shown in the following
code snippet. Notice the use of the Bootstrap CSS classes
row, col, and text-center.
Save the changes you made to all the files in your Adv-
Works project and start it up. Ensure that the AdvWorks-
API Web API project is still running. Go to your browser
and navigate to http://localhost:3010/product. You
should see a list of products that are coming from the
Product table in your SQL Server. The look of the page
should be nicer with the addition of the Bootstrap CSS
framework, as shown in Figure 7.

<div class="row">
<div class="col text-center"> Search for Products
<h1>Product List</h1> In the Web API project, you created a search endpoint to
</div> allow you to search for products based on a partial name
</div> and/or if the list price is greater than a specified amount.
Create a new file in the views folder named _product-
Next, add the class attribute to the <table> element and Search.mustache file and add the code shown in Listing
add the Bootstrap classes shown in the following code. 13 to this new file.
These classes make formatting your HTML table easy.
Open the views\product.mustache and within the {{#is-
<table class="mt-2 table table-striped ListVisible}} tokens, add the token to bring in the new
table-bordered"> file you created. Make sure this file goes before the one
that references the _productList file.
// REST OF THE TABLE HERE
{{#isListVisible}}
</table> {{> _productSearch}}

codemag.com Building Web APIs Using Node.js and Express: Part 3 23

 {{> _productList}}
{{/isListVisible}}
The HTML in the _productSearch file uses a Bootstrap
panel to wrap up the search input fields. The form action
attribute says to post the input fields within this form to
a product/search route. When you click on the Search
button, the data from these two input fields are posted
to this new route.
Create the new search route by opening the routes\prod-
uct.js file and add the code shown in Listing 14. Once
again, due to the publishing constraints of this maga-
zine some of the long lines that build the request vari-
able should be on one line. If you are copying the code
from the magazine, please make sure to fix these up. The
search route function creates a search object from the val-
ues passed on the query line from the form post-back. It
then determines which of the properties in the search ob-
ject are filled in and builds the appropriate URL to submit
to the Web API search route. Examples of what this URL
could look like are http://localhost:3000/api/product/
search?name=HL or http://localhost:3000/api/product/
search?name=HL&listPrice=1499, or some variation there-
of. This URL is then submitted to the Web API application
and the data is returned to be displayed on the list page.

Try It Out
Save the changes made to your project files and ensure that
the project is running. Navigate to the http://localhost:3010/
product page and type into the Product Name (or partial)
input field the value HL. Click the Search button and you
should see a few rows that match this criterion displayed
in your HTML table. Input the value 1439 into the Greater
Than Price input field and click the Search button again. You
should now see fewer rows. Finally, click the Reset button to
see the whole list of products re-appear in the table.

Product Detail Page

Figure 7: Bootstrap helps make all your web pages look more professional.
Now that you’ve displayed the complete list of products
from the Product table, it would be nice to be able to
click on one of the products and display a detail page.
You’re going to use this detail page for adding and edit-
ing product data. First, let's display the product data in
the appropriate input fields. Add a new file in the views
folder named _productDetail.mustache and add the code
shown in Listing 15. This is a typical input form with
some hidden input fields for keeping track of properties
that the user doesn’t need to see. For example, the is-
ListVisible property determines if the list or detail page

Listing 14: Create a function to search for product data.

// GET /search Route // Render the page
router.get('/search', async (req, res, next) => { res.render('product',
try { {
// Create search object with "isListVisible": true,
// parameters from query line "search": search,
let search = { "data": data,
"name": req.query.searchName, "costAsCurrency": function () {
"listPrice": req.query.searchListPrice return new Number(this.standardCost)
}; .toLocaleString("en-US",
if (search.name || search.listPrice) { { "style": "currency",
let request = url; "currency": "USD" });
if VHDUFKQDPH VHDUFKOLVW3ULFH ^ },
request += `/search?name=${search.name} "priceAsCurrency": function () {
 OLVW3ULFH ^VHDUFKOLVW3ULFH`C; return new Number(this.listPrice)
} .toLocaleString("en-US",
if VHDUFKQDPH VHDUFKOLVW3ULFH ^ { "style": "currency",
request += `/search?name=${search.name}`; "currency": "USD" });
} }
if VHDUFKQDPH VHDUFKOLVW3ULFH ^ });
request += `/search }
?listPrice=${search.listPrice}`; else {
} // Redisplay the list
res.redirect('/product');
// Request data from Web API }
let response = await tiny.get({ } catch (err) {
"url": request next(err);
}); }
// Get data from response });
let data = response.body.data;

24 Building Web APIs Using Node.js and Express: Part 3 codemag.com

 Listing 15: Create a detail page to add/edit product data
<div class="mt-4 row text-center"> value="{{productNumber}}" />
<div class="col"> </div>
<h2>Product Detail</h2> <div class="form-group">
</div> <label for="color" class="form-label">
</div> Color
</label>
{{#detail}} <input type="text" id="color" name="color"
<form class="mt-4" action="/product" class="form-control" value="{{color}}" />
method="post"> </div>
<input type="hidden" id="isAdding" <div class="form-group">
name="isAdding" value="{{isAdding}}" /> <label for="standardCost"
<input type="hidden" id="isListVisible" class="form-label">
name="isListVisible" Cost
value="{{isListVisible}}" /> </label>
<input type="hidden" id="productID" <input type="number" id="standardCost"
name="productID" value="{{productID}}" /> name="standardCost"
class="form-control"
<div class="form-group"> value="{{standardCost}}" />
<label for="name" class="form-label"> </div>
Product ID <div class="form-group">
</label> <label for="listPrice"
<input type="text" readonly disabled class="form-label">
class="form-control" Price
value="{{productID}}" /> </label>
</div> <input type="number" id="listPrice"
<div class="form-group"> name="listPrice" class="form-control"
<label for="name" class="form-label"> value="{{listPrice}}" />
Product Name </div>
</label>
<input type="text" id="name" name="name" <div class="mt-2 form-group">
class="form-control" value="{{name}}" /> <button class="btn btn-primary">
</div> Save
<div class="form-group"> </button>
<label for="productNumber" <a href="/product" class="btn btn-primary">
class="form-label"> Cancel
Product Number </a>
</label> </div>
<input type="text" id="productNumber" </form>
name="productNumber" class="form-control" {{/detail}}

is visible. The isAdding property determines if the user

is adding a new product or updating an existing product.

To add the ability to navigate to the detail page, open

the _productList.mustache file and just after first <tr>
in the <thead> element, add the following <th>.

<th>Actions</th>

Then immediately after the first <tr> in the <tbody> element,

add the following <td>. The href attribute within this an-
chor tag calls route product/ followed by the number of the
product ID the user clicked on. For example, product/345
is called if the user clicked on a product with the product ID
of 345. This route is going to return the detail page you just
created filled in with the data for the product 345.

<td>
<a href="product/{{productID}}"
class="btn btn-primary">
Edit
</a>
</td>

Open the product.mustache file and just below the {{/

isListVisible}} line, add the following code:

{{^isListVisible}}
{{> _productDetail}}
{{/isListVisible}} Figure 8: This detail page is displayed after clicking on the Edit button on the table.

codemag.com Building Web APIs Using Node.js and Express: Part 3 25

 Listing 16: Create a route to retrieve a single product row.
// GET /id Route {
router.get('/:id', async (req, res, next) => { "isListVisible": false,
try { "isAdding": false,
// Build the request URL "detail": data
let request = url + `/${req.params.id}`; }
// Request data from Web API );
let response = await tiny.get({ } catch (err) {
"url": request next(err);
}); }
// Get data from response });
let data = response.body.data;
// Render the page
res.render('product',

Listing 17: Add an insert function to add a product to the SQL Server table.
// POST from Detail Page // PUT an updated product
router.post('/', async (req, res, next) => { response = await tiny.put({
try { "url": request,
// Declare the response object "data": product
let response = {}; });
// Get posted values from form }
let product = req.body; // TODO: Handle a 404 or a 400
if (product.isAdding != 'false') {
// POST a new product // Redisplay the list
response = await tiny.post({ res.redirect('/product');
"url": url, } catch (err) {
"data": product next(err);
}); }
} });
else {
let request = url +
`/${product.productID}`;

The {{^isListVisible}} is the inverse of the {{#isListVis- Update a Product

ible}} token. This token says if the isListVisible property
is false, display the contents between the two tokens. In
this case, if the isListVisible property is false, the detail
page is displayed instead of the product search and list
page.
Open the routes\product.js file and after the other routes
in this file, add the new route shown in Listing 16. The
product is passed into this route by clicking on the anchor
tag in the table. A call to the GET/id route in the Web
API is made to retrieve the single product row. The res.
render() function is called passing in the Product page
and a second parameter with three properties. The isList-
Visible property is set to false so the templating engine
displays the detail page instead of the list page. Because
you just clicked on an existing product, the isAdding
property is set to false—if you’re going to save this data,
you want to do an UPDATE and not an INSERT. The detail
property is the single product object that’s used in the
tokens {{#detail}} and {{/detail}} on the detail page you
created in Listing 15.
Try It Out
Save the changes made to your project files and ensure
that the project is running. Navigate to the http://loc-
alhost:3010/product page and click on one of the Edit
buttons to view the detail page (Figure 8). Click the back
button on your browser and click on another Edit but-
ton to see the detail data for another product. You can
click on the Save button, but nothing’s going to happen
yet. The Cancel button takes you back to the product
list page.
When you click on the Save button, you want to post data
from the detail form to the post() route you’re going to cre-
ate. To post data, you must add a module in Express to parse
the data in the form body into a JSON object. Open the in-
dex.js file and after the line of code app.engine('mustache',
mustacheExpress()), add the following code:
// Load body-parser module
// (required for post-backs)
const bodyParser = require('body-parser')
// Support JSON-encoded form body
app.use(bodyParser.json());
// Support URL-encoded form body
app.use(bodyParser.urlencoded({
extended: true
}));
Add a POST Route
Open the routes\product.js file and add a new post route,
as shown in Listing 17. Form data can only be posted
(not put as in the Web API), so whether you’re updating
or inserting data, you only call the post() route. That’s the
reason for the isAdding property on the JSON object, so
you know whether to call the post or put on the Web API.
After calling either the post or put, you are going to redi-
rect back to the product page so it can re-read the product
data and display any changes in the HTML table.
Try It Out
Save the changes made to your project files and ensure
that the project is running. Navigate to the http://local-
host:3010/product page and click on one of the Edit but-

26 Building Web APIs Using Node.js and Express: Part 3 codemag.com

tons to view the detail page. Make some changes to one or Listing 18: Add a function to display a blank detail form.
two of the input fields and click the Save button. You should
// GET /add Route
see the changes you made appear in the product table. router.get('/add', async (req, res, next) => {
try {
res.render('product',
Insert a Product {
You’re going to need an Add button somewhere on the "isListVisible": false,
"isAdding": true,
page to allow the user to insert a new product. Open the "detail": {
views\_productSearch.mustache file and add the fol- "name": "",
lowing HTML just before the Search button: "productNumber": "",
"color": "Red",
"standardCost": 1,
<a href="product/add" "listPrice": 2
class="btn btn-secondary"> }
Add }
</a> );
} catch (err) {
next(err);
In the href attribute of this anchor tag, you call a route }
named product/add. Open the routes\product.js file and });
add a new method BEFORE the router.get("/:id"…) route,
as shown in Listing 18. In this route, render the product
page passing in an object that sets the isAdding property Listing 19: Add a route to delete a product row from the table.
to true and sets the detail property to all the input fields // GET /delete/id Route
on the page that should be initialized to a valid value. router.get('/delete/:id',
async (req, res, next) => {
Try It Out try {
// Build the request URL
Save the changes made to your project files and ensure let request = url + `/${req.params.id}`;
that the project is running. Navigate to the http://loc- // Request data from Web API
alhost:3010/product page and click on the Add button. response = await tiny.delete({
Enter some valid data for each input field and click the "url": request
});
Save button. You should see the product you created ap- // TODO: Handle 404
pear in the HTML product table.
// Redisplay the list
res.redirect('/product');
Delete a Product } catch (err) {
next(err);
The last piece of functionality to create is to allow the }
user to delete a product. I like putting a Delete button at });
the end of the row of each column. Open the views\_pro-
ductList.mustache file and just before the closing </tr>
within the <thead> element, add a new <th>:
Try It Out Getting the Sample Code
<th>Delete</th> Save the changes made to your project files and ensure
that the project is running. Navigate to the http://local- You can download the sample
Just before the closing </tr> within the </tbody> ele- host:3010/product page and click on the Delete button code for this article by visiting
ment add a new <td> element with an anchor tag in it. next to one of the products. Respond that you wish to www.CODEMag.com under
This anchor tag is going to call the product/delete route delete this row and you should see the product list re- the issue and article, or by
with the product ID for the current row at the end of the displayed minus the product you just deleted. visiting www.pdsa.com/
downloads. Select “Articles”
route. Before it calls this delete method, it’s a good idea
from the Category drop-
to confirm with the user that they really want to delete
this row. Summary down. Then select “Building
Web APIs Using Node.js and
In this series of articles, you built two web projects using Express: Part 3” from the Item
<td> Node.js and Express. The first web project is a set of API drop-down.
<a href="product/delete/{{productID}}" calls used to perform CRUD logic on a SQL Server table.
onclick = You added middleware to handle exceptions and learned
UHWXUQFRQÀUP 'HOHWHWKLV3URGXFW"  to read data from a configuration file. The second web
class="btn btn-danger"> project is a website used to serve up web pages for a user
Delete to interact with the product data. Using several different
</a> tools, you learned to call Web APIs from each page and
</td> create dynamic web pages using templating.

Add the new delete route (Listing 19) by opening the Paul D. Sheriff
routes\product.js file and adding the new route BEFORE
the router.get("/:id"…) route. This route extracts the ID
passed in from the req.params.id property and uses that
ID to build the call to the Web API delete route. After the
delete has occurred, the product list page is once again
displayed, minus the row just deleted.

codemag.com Building Web APIs Using Node.js and Express: Part 3 27

 ONLINE QUICK ID 2309041
Applying DDD Thinking to Refactor
Aggregate Filters
This article reconsiders the problem (well, a solution) of filtering in software being built for a book publishing company. Leaning
on lessons from Domain-Driven Design (DDD), the company’s team (including devs, domain experts, and more) embarked on
the initial discovery phase and strategic design. They then selected one particular bounded context that came out of strategic
Julie Lerman
@julielerman
thedatafarm.com/contact
Julie Lerman is a Microsoft
Regional director, Docker
Captain, and a long-time
Microsoft MVP who now
counts her years as a coder
in decades. She makes
her living as a coach and
consultant to software
teams around the world.
You can find Julie present-
ing on Entity Framework,
Domain-Driven Design and
other topics at user groups
and conferences around
the world. Julie blogs at
thedatafarm.com/blog, is
the author of the highly
acclaimed “Programming
Entity Framework” books,
and many popular videos
on Pluralsight.com.
Figure 1: The Contract entity is the root of the contract aggregate.
28 Applying DDD Thinking to Refactor Aggregate Filters
design—the contracting bounded context—to focus
on for the initial tactical design phase. That particular
bounded context presented some interesting complexity
because of the many iterations a contract may go through
as well as the possibility of co-authors on a book. The
added complexity makes the bounded context a great
candidate for applying DDD patterns.
The outcome of the tactical design is a contract aggre-
gate (see Figure 1) defined by its entities, value objects,
invariants and other business rules. The contract entity
itself is the root of the aggregate. A contract has one or
more versions including a version with default values and
default specifications for every new contract. Each ver-
sion includes a set of specifications that are encapsulated
in a value object. And each version also has one or more
authors.
The author class is also a value object that leans on yet
another value object: PersonName. Figure 2 shows the
properties of each of the aggregate classes in Visual Stu-
dio’s class designer. There’s a lot of logic involved to cre-
ate default versions, create revisions, finalize contracts,
etc. If you’re curious about that logic, it’s all detailed
as part of my Pluralsight course: EF Core 6 and Domain-
Driven Design (https://www.pluralsight.com/courses/
ef-core-6-domain-driven-design). If you’re not familiar
with DDD, you may want to start with the Domain-Driven
Design Fundamentals course also on Pluralsight that I co-
authored with Steve Smith.
The focus of this article is on enabling users to find pre-
existing contracts by filtering. That seems like a problem
with a well-known and obvious solution. But is it really?
As the developers incorporate the contract aggregate fur-
ther into their solution, it’s important that they make it
easy for users to find a contract to work on, whether they
want to make tweaks, create a new revision, or just look
at some details. Users might want to search by author
names, contract status, or one of the relevant dates, such
as when the contract was first initiated or when an author
needs to respond to a version during negotiations.
Although the lessons of this article apply to any stack,
I’ll be using .NET Core and EF Core with a SQL Server
database to explain the solution. The demo code is on
my GitHub account at https://github.com/julielerman/
FilteringwithEFCoreandDDD.
Factors that Lead to Filtering
Problems
In the solution, the EF Core DbContext designed to sup-
port the aggregate takes care of ensuring that the ag-
gregate is mapped correctly to the relational database.
Additionally, in order to protect the aggregate, this Db-
Context only exposes the aggregate root—the contract
entity—for querying and updates. It’s possible to use the
DbContext.Set<> method directly, but you should design
your data access logic such that you are not circumvent-
ing this guard rail other than, perhaps, in integration
tests as needed.
For example, many of the details that would be helpful for
selecting a contract such as author name or acceptance
deadline are exposed throughout the aggregate in differ-
ent classes. Yet accessing them to filter queries is overly
complicated. It can be done but requires a lot of LINQ
trickery and expertise. And that’s just to filter the results.
The results themselves need to be a string composed of
appropriate highlights sufficient for the user to select the
exact one that they’re seeking. Listing 1 shows an ex-
ample of the most efficient solution I could come up with
to find a list of contracts based on the last name of any of
the authors. Remember that the authors could vary from
one version of the contract to another and, in this search,
the domain experts specified that this filter should only
find contracts with that author in the current version.
As you can see from that one method in Listing 1, it’s
possible to build up layers of queries via the aggregate
and its DbContext to support this. But for me, it was quite
a hair-puller, especially to filter by name as I needed to
drill into contract version, then each of its authors, and
then the Name property (remember it’s a value object),
and even further in to the LastName property. In the end,
this and the other queries I created worked well, although
codemag.com
not perfectly, because I was only getting back the name
of one of the authors. It was at the point when I was try-
ing to determine how to also look for any co-authors that
I finally decided the effort was just too much.
The aggregate was intentionally designed to represent a
contract and its business logic. It exists to easily create
and modify a contract while maintaining its invariants.
However, that design has made the problem of search
somewhat complicated. Even if you were to use specifi-
cations to define, combine, and execute queries for you
(using the brilliant EF Specification from Steve Smith at
https://github.com/ardalis/specification), the tiered na-
ture of this aggregate makes defining and composing the
various specifications on which you may want to search
overly difficult.
Are You Working Too Hard?
This is when my ingrained habit of Domain-Driven De-
sign thinking finally kicked in. Or perhaps the old Ben &
Jerry’s slogan “If it’s not fun, why do it?” did. The fact
that it was so hard to build up these queries is a big red
flag. If you glean nothing else from my pain, at least
remember this! As developers, it’s habitual for us to set a
goal and keep fighting every problem that comes our way
until we achieve said goal. We slap more and more code
onto the problem until it finally works. This is something
of an ego problem for many of us and I’m happy to admit
that it definitely is for me.
But DDD teaches us to take complex problems, break them
apart into simpler problems, and then compose them as
needed. I’ve drawn these lessons into many areas of my
life, whether building software or trying to follow a com-
plicated soup recipe.
Once I woke up from my ego trip, I realized that the fil-
tering was just too hard to accomplish using LINQ against
the aggregate. I also knew that I had a very appropriate
tool at my disposal that’s excellent at querying: the da-
tabase. My eventual solution was to create a new simple
model, a new DBContext, and some SQL Server objects
(view, stored procedure, and a user-defined function).
Let’s see how that works.
As developers, it’s habitual for us
to set a goal and keep fighting
every problem that comes our
way until we achieve said goal.
What Filter Results Do Users Need
to See?
The domain experts identified the key data that a user
should see in order to help them find a particular con-
tract. It should be a combination of the contract num-
ber, the names of all authors involved, the working title
of the book, and the date that the contract negotiation
was initiated. For example, this fake book: Contract start:
6/13/2023, "Learning Razor Tricks", Author(s): Julie Ler-
man, Roland Guijt.
codemag.com
Figure 2: Aggregate classes with their
properties and relationships
Listing 1: Using LINQ to find contracts against the aggregate is hard
public List<KeyAndDescription>
GetContractPickListForAuthorLastName(string lastname)
{
var currentVersions = _context.Contracts
.Where (c => c.Versions
.Any(v =>v.Authors
.Any(a =>a.Name.LastName.StartsWith(lastname))
)
).Select(c => new
{c.DateInitiated,
Current = c.Versions.Where(v =>
v.Id == c.CurrentVersionId).FirstOrDefault()
}).ToList();
var picklist = currentVersions.Select(v =>
new SearchResult(v.Current.ContractId,
$"{v.DateInitiated.ToShortDateString()},
{v.Current.WorkingTitle},
{v.Current.Authors.FirstOrDefault().Name.FullName}"),
v.ContractNumber)
.ToList();
return picklist.OrderBy(pl => pl.Description).ToList();
}
You can see that being built up in the concatenated
string within the search results along with the ContractId
and ContractNumber in the “way too hard” version in
Listing 1. I have created a DTO class in my solution called
SearchResults to easily capture that data.
What Filters Do Users Need?
The domain experts also shared a number of ways that
their users look for contracts. They want to search by
author name parts: first, last, or both names and they
shouldn’t need the full name to get a good result. For ex-
ample, it’s common that people can’t remember if my last
name has an “h” in it or not. They should be able search
for authors with last name L or Le. Or the other common
conundrum about my name: is it Julie or Julia? They can
search for Jul.
Because every new contract version imposes a timeframe
in which an author needs to respond, accepting or re-
jecting it, users may need to look for a contract whose
response date is coming up soon.
Applying DDD Thinking to Refactor Aggregate Filters 29
 During strategic design, discussions about searching for
contracts revealed that there are two reasons for search-
ing. One is to find a particular contract to examine it or
modify its details. The other is simply for building re-
ports. Reporting is a very different set of problems that’s
guaranteed to evolve and should (and will) be handled
separately from this solution. During strategic design, the
team was careful to keep the contract searches focused
on those searches needed for working on contracts.
One cross-over idea from the reporting system is that a
report will have a contract number on it, so a user with
access to a contract number may want to search on that
as well. I won’t be implementing every one of these fil-
ters, but they can all follow a similar pattern.
The SearchContext class (see Listing 2) is read only (No-
Tracking) with the SearchResult configured as having no
key.
But with these new classes, how are you to build LINQ
queries? The answer is that you won’t build any! Remem-
ber my earlier nod to the power of the database. You’ll
only be using the SearchContext to execute raw SQL and
capture results into SearchResult objects. You’ll see how
I’m doing this a bit further on.
You may also have wondered how you’d be able to search
within the Description property for names or dates. Again,
you won’t! The SearchResult is only there to capture data
coming back from the raw SQL queries.

Implementing a New Model What About the Bounded Context

and DbContext
We’ve already established that querying against the aggre-
gate using the DbContext designed for persisting the aggre-
gate is too hard. That’s for contract management. For search-
es, I’ll use the SearchResult DTO and a new SearchContext.
The SearchResult class is very simple. As described ear-
lier, it has three properties: KeyValue, Description, and
ContractNumber. The class is immutable and can only be
set by way of its public constructor. The private param-
eterless ctor is there for EF to materialize query results.
and Database?
An important point to understand is that this
SearchResult isn’t any type of aggregate. It’s a simple
model and it lives in the same bounded context as the
Contract aggregate. That also means that, by definition,
it accesses the same database that the ContractContext
interacts with. What do I mean when I say “by defini-
tion”? In DDD, you’re guided to have different databases
for each bounded context. But here, both the aggregate
and the SearchResult model are part of one bounded
context and therefore should be able to use a shared
database.

public class SearchResult Again, with this scenario, I have one DbContext for read-
{ ing and writing and another that only reads. Because the
public SearchResult(Guid key, second DbContext performs no writes and doesn’t even
string description,string contractNumber) perform LINQ queries, it has no bearing on the database
{ schema. The primary DbContext, ContractContext, will
KeyValue = key; be used with EF Core migrations to control the database
Description = description; schema. You should never use the SearchContext with mi-
ContractNumber = contractNumber; grations because EF Core would assume that the database
} has one single table with three columns and trash what
private SearchResult(){} was created by ContractContext.

public Guid KeyValue { get; private set; } As you are reading about having two different DbContexts
public string? Description in a single bounded context sharing the same database,
{ get; private set; } you may be wondering about the case of multiple ag-
public string? ContractNumber gregates each with their own DbContext in this scenario.
{ get; private set; } That’s not relevant to this article, but I do want to ad-
} dress the question. If you have two aggregates, you need
to find a balance where a single DbContext serves them
both and serves and controls a single database. If achiev-
Listing 2: The SearchContext class ing this is anything less than easy-peasy, that should
raise a red flag, yet again, that something is probably
public class SearchContext : DbContext wrong with your models or, more likely, that your deter-
{
public SearchContext
mination that they belong in the same bounded context
(DbContextOptions<SearchContext> options):base(options) was in error.
{
ChangeTracker.QueryTrackingBehavior =
QueryTrackingBehavior.NoTracking; What About Those Database Objects?
}
public DbSet<SearchResult> SearchResults => Here comes the fun part of the solution where it’s time
Set<SearchResult>(); to put on your database hat or find someone in your org
that wears one. Recall that I mentioned one view, one
protected override void OnModelCreating stored procedure, and one function. (Is anyone hearing a
(ModelBuilder modelBuilder)
{ George Thorogood song now?) The stored procedure may
modelBuilder.Entity<SearchResult>().HasNoKey(); seem complicated but for a database whiz, probably not.
} The hardest part will be formatting the SQL so that it’s
} readable in this article!

30 Applying DDD Thinking to Refactor Aggregate Filters codemag.com

Figure 3: The CurrentContractVersions view in the database
If the sproc is complicated, does that raise a red flag and
tell me I’m doing it wrong? To me, the answer is no. I’ll
be asking the database to do something it’s very good at
and my coded solution will be clean and easy to read. And
from a DDD perspective, that means it will be easier to
understand and maintain my code.
Based on the ContractContext, the database tables are
structured so that the contract highlights are in a Con-
tracts table and each version of the contract is in a Ver-
sions table. The Versions table also contains the data for
the SpecificationSet value object, thanks to EF Core’s
Owned Entities mapping. Because there could be multiple
authors (remember Author is also a value object) for a
version, there’s a third table, Version_Authors, that con-
tains the author data. If you’re curious about how my
mappings and migrations came up with this schema, I go
through that in detail in the above-mentioned Pluralsight
course. I’m aware that a collection of Value objects is
seen as an anti-pattern. I thought long and hard before
I decided to take this path. It’s a decision made based
on plenty of experience, so I’m comfortable with it. In
fact, it’s the first time I’ve ever designed an aggregate
that has a collection of value objects as a property of the
aggregate root.
Let’s start with the view. Why do you need a view? The da-
tabase schema is designed to persist the aggregate. Like
the LINQ query, I’ll have to dig through multiple tables
to find the data I need to build the query for the filter
and the results. By encapsulating the search details and
output details into a single view, queries will be much
simpler to build.
I thought it would be easier for you to comprehend the
view in designer mode as it’s displayed in Figure 3. You
can see which fields I’m extracting from which tables and
how those tables relate to one another. The SQL for the
view is captured in a migration file in the solution that
you can download. This gives me all of the fields I might
want to search on and all of the fields I need to output.
The view lists all versions of each contract (Figure 4)
and notes which ContractVersionId represents the current
codemag.com
version of a particular contract. Note that for space con-
sideration, the figure doesn’t display the full GUID values.
Explicit Sprocs or One to Rule
Them All?
I originally used different stored procedures to execute the
needed queries. That was tidy but it led to complexity in
the application because I had to have different methods
and different calls. It worked and felt nicely organized.
There was a lot of duplication in these procedures. I re-
moved some of it by encapsulating the creation of the
description string into a function. Otherwise, the only
differences were in the parameter lists and the WHERE
statements in each procedure’s subquery.
For example, to find contracts by author last name, there’s
a single parameter (@LastName) and the subquery is:
select currentversionid
from currentcontractversions
where left(LastName,len(trim(@LastName)))=
trim(@LastName)
To find contracts by date initiated, the sproc takes two
parameters, @initdatestart and @initdateend, with the
subquery:
select currentversionid
from CurrentContractversions
where
cast(dateinitiated as date)>=@initdatestart)
and cast(dateinitiated as date)<=@initdateend
Adding filters meant adding a new stored procedure and
then a new method in the search service to call that pro-
cedure. Lots of copy/pasting and the red flag came up
again!
I considered dynamic queries (which would have meant
embedding strings into the TSQL) and decided against
that because—eww—and that would introduce too many
complications. However, I really wanted to make things
Applying DDD Thinking to Refactor Aggregate Filters 31
 Figure 4: The output of the database view
simpler in the application and had to push the boundar-
ies of my TSQL skills to come up with a single stored
procedure. This may have been a simpler task for someone
more adept at TSQL, but I did a lot of due diligence to
ensure that I was making the best choice. I hope that
research led me (and as I pass this on to you) to the best
conclusion.
The stored procedure takes in all three parameters.
CREATE PROCEDURE GetContractsFlexTempTable
@LastName varchar(15),
@initdatestart varchar(20),
@initdateend varchar(20)
You can inspect the TSQL in the download to see the full
details but I will highlight some of them here.
There’s some trickery to deal with null dates, for example,
if you’re looking for a contract initiated after June 1 with
no end date. I am pre-creating converting the incoming
start and end dates to create values if they are null.
DECLARE @SDate DATETIME
DECLARE @EDate DATETIME
SET @SDate = ISNULL(@initdatestart, '19000101')
SET @EDate = ISNULL(@initdateend, GETDATE()+100)
And there’s some more trickery to set up a temporary ta-
ble in order to collect the key of any versions that match
the filter.
select currentversionid into #ContractSubSet from
CurrentContractversions WHERE 1=2
Then, using a series of IF statements, I insert rows into
the view using WHERE statements based on whether there
are values in any of the three parameters. That way, I can
combine Name and Date searches. I had to write each
of those filters explicitly. Here’s a bit of the procedure
where I’ve determined that there is a lastname filter but
no date filters.
IF @LastName IS NOT NULL
BEGIN
IF (@initdatestart is NULL and
@initdateend is NULL)
RQO\ÀOWHULQJRQODVWQDPH
INSERT INTO #ContractSubSet
SELECT currentversionid
FROM currentcontractversions
32 Applying DDD Thinking to Refactor Aggregate Filters
WHERE left(LastName,len(trim(@LastName)))
=trim(@LastName) ;
Finally, I execute one last query against that temporary
table where I concatenate all of the info needed in the
list. In other words, combining the date initiated, the
working title, and, using an aggregate function, the
names of any authors involved in that contract’s current
version. Again, I recommend perusing the TSQL if you are
interested in how I implemented it all.
SELECT groupednames.contractId as
KeyValue,[description],ContractNumber
FROM
(SELECT contractid,currentversionid,
dbo.BuildContractHighlights(various data)
AS [description],ContractNumber
FROM CurrentContractversions
WHERE currentversionid IN
(SELECT currentversionid
FROM #ContractSubSet)
GROUP BY various data) groupednames
With this procedure in place, the database now has a
single entry point—this one stored procedure that takes
in my three parameters. And I can always expand the
logic to add more parameters and filters. For some con-
text, the current version of this sproc is 57 lines. It isn’t
a beast. It just felt like it when I had to figure out how
to write it!
I’ve truly put all of the pain in the database into the
view, stored procedure, and function. And, thanks to this,
you’ll see that the code in my app is simple, readable,
and succinct.
Executing the Filters in the Application
Executing the stored procedure from the application is
achieved with the help of a SearchParams class that en-
capsulates all of the possible filter values you may need.
This can be expanded on as needed.
public class SearchParams
{
public SearchParams(string lastName,
string startDate, string endDate)
{
LastName=lastName=="" ? null:lastName;
StartDate=startDate== "" ? null:startDate;
EndDate = endDate== "" ? null:endDate;
}
codemag.com
 public string LastName { get; } Listing 3: The ContractFlexSearchService class
public string StartDate { get; }
public partial class ContractFlexSearchService
public string EndDate { get; }
{
} SearchContext _context;
static List<SearchResult> _results;
Your UI or API can populate this class and pass its values
along to the stored procedure call. In my sample applica- public ConractFlexSearchService(SearchContext context)
tion, I have a simple set of Razor pages in an ASP.NET {
_context = context;
Core website. The user can enter filter details into the
}
relevant text boxes—one for last name, one for start date, public List<SearchResult> SearchResults => results;
and one for end date—and then click a Filter button.
The razor page constructs a SearchParams object from the public async Task<List<SearchResult>> Service
form data and passes it on to a search service. There is (SearchParams sP)
also a Reset button that creates an empty SearchParams {
_results = _context.SearchResults
object. Here are the methods called when the buttons
.FromSqlInterpolated($"GetContractsFlexTempTable
are clicked. {sP.LastName},{sP.StartDate},{sP.EndDate}")
.ToList();
public async Task OnPostFilter() return _results;
{ }
var searchParams = new SearchParams }
(LastName, StartDate, EndDate);
ExecuteFilter(searchParams);
}

public async Task OnPostResetFilter()

{
var searchParams = new arams("", "", "");
ExecuteFilter(searchParams);
}

Both methods then pass their searchParams object to the

ExecuteFilter method, also in the Razor page.

private async Task ExecuteFilter

(SearchParams searchParams)
{
ContractHighlights =
await _service.CallService(searchParams);
} Figure 5: Flexible search filtered on Last Name and Start Date

The service call is in my ContractSearchFlexService class

shown in Listing 3. The original solution that used sepa- I owe a nod of thanks for some encouragement from a fel-
rate stored procs uses a ContractSearchService class, and low .NET developer (David Henley) in my original GitHub
you’ll see in the demo code that I added the word “Flex” repository for the Pluralsight course. His comment caused
to the assets that target the GetContractsFlexTempTable me to push myself to refactor the solution from the origi-
stored procedure. nal (with its many stored procedures and many API calls),
resulting in the handy SearchParams class and the super
Figure 5 shows an example of the Razor app using the simple ContractSearchFlexService class. And, as you prob-
flexible search where I’ve applied a name and start date ably know, getting to a happy place with a big refactor
filter, resulting in two of the sample data contracts to be really is fun!
displayed.
Julie Lerman
Beauty in Simplicity
Take a moment to gaze upon the beauty and simplic-
ity of the service class and its single method. Thanks
to the SearchParams class and the stored procedure
I created, I now have one single simple method. If I
need to add more filters, I can do that by expanding
the SearchParams class and the stored procedure. But
the service won’t need to change at all. The original
solution allowed only one filter at a time and its service
had separate methods for each filter as well as the “no
filter” option. I did refactor it to allow a single point of
entry to make it easy to use, but it’s a bit complicated to
maintain.

codemag.com Applying DDD Thinking to Refactor Aggregate Filters 33

 ONLINE QUICK ID 2309051
Developing Real-Time Web
Applications with Server-Sent
Events in ASP.NET 7 Core
For real-time web applications, Server-Sent Events (SSE) provide an alternative to WebSockets and long polling, allowing server-
side updates to be sent to clients without the need for clients to seek updates repeatedly. In this article, I’ll discuss how to build
real-time web applications with SSE in ASP.NET Core, including the core concepts of SSE, the features, benefits, and downsides
Joydip Kanjilal
[email protected]
Joydip Kanjilal is an MVP
(2007-2012), software
architect, author, and
speaker with more than
20 years of experience.
He has more than 16 years
of experience in Microsoft
.NET and its related
technologies. Joydip has
authored eight books,
more than 500 articles,
and has reviewed more
than a dozen books.
34 Developing Real-Time Web Applications with Server-Sent Events in ASP.NET 7 Core
of SSE, and how to implement real-time updates, etc. If
you’re to work with the code examples discussed in this
article, you’ll need the following installed in your system:
• Visual Studio 2022
• .NET 7.0
• ASP.NET 7.0 Runtime
If you don’t already have Visual Studio 2022 installed,
you can download it from here: https://visualstudio.mi-
crosoft.com/downloads/. The message format in SSE is defined by W3C. It should be
Introducing Server-Sent Events (SSE)
Server-Sent Events (SSE or Event Source) is a W3C standard
for real-time communication between servers and clients
over HTTP. With SSE, the server may provide the client with
real-time event-driven changes through an HTTP connec-
tion. SSE is a standardized push technology conceptualized
first in 2004 and included as part of the HTML5 specifica-
tion. It enables you to transmit notifications, messages,
and events from a server to a client over HTTP.
A protocol for streaming events, SSE is supported by the
majority of contemporary web browsers. These include
Edge, Firefox, Chrome, and Safari. SSE eliminates the need
to manually query the server or establish several connec-
tions to provide changes to the client by enabling uni-
directional, real-time communication between the server
and the client. Figure 1 demonstrates an overview of SSE
works.
The Server-Sent DOM Events are the SSE foundation. By
subscribing to events produced by a server using the Event-
Source interface, browsers may get alerts any time new
events occur. When an EventSource attempts to get data,
it accepts an HTTP event stream connection from a specific
URL and keep the connection open. A server-sent event is
one that is always pushed from the server to a web browser
rather than retrieved or requested.
Message Format
noted that the SSE data sent by a server to a client should
be in UTF-8 encoded format and have the following header:
Content-Type: text/event-stream
Cache-Control: no-cache
Connection: keep-alive
The data sent from the server to the client consists of
several messages, each separated by \n\n characters. A
field contains the following values:
• Data: Indicates the payload to be sent from the
server to the client
• Retry: Optional and indicates the time the client
will wait before it attempts for a reconnection in the
event of a connection drop
• Event: Represents the event type defined by the ap-
plication
• ID: Optional and represents the ID of the data trans-
mitted from the server to the client
An event consists of a set of colon-separated key/value
pairs, with each pair terminated by a new line. The event
itself is separated by two new line characters.
The following is a template for a message comprising a
single event:
id: <messageId>\n (optional)
event: <eventType>\n (optional)
data: <event data - plain text>\n (mandatory)
\n
\n
The response is a series of events separated by a \n char-
acter, as shown here:
event: [event type]\n
data: [message]\n\n
The following is an example of an SSE response:
HTTP/1.1 200 OK
Content-Type: text/event-stream
event: event-1
data: This is a sample text.
event: event-2
data: {"code": "p001", "quantity": 456}
Why Server-Sent Events?
Here are some of the key benefits of SSE in web applica-
tion development:
• Updates in real-time: SSE permits real-time com-
munication between the server and client. Instead
of the client continually querying the server for new
information, it enables the server to send changes
to the client as soon as they happen. For applica-
tions like live feeds, chat rooms, market tickers, and
alerts where quick updates are critical, this real-
time feature is essential.
• Simplicity: For server-to-client communication, SSE
offers a straightforward and lightweight protocol.
SSE offers a lower overhead than other real-time
technologies, such as WebSockets, and doesn't need
complicated handshakes or bidirectional communi-
cation. SSE messages are text-based, simple to read,
and easy to use.
• Reduced load on the server: SSE allows the server
to transmit updates to clients only when required,
reducing the workload on the server. This lessens
the need for clients to submit the server queries
frequently, which lowers server load and enhances
scalability. SSE is very effective for applications that
have a lot of customers and need server resource
optimization.
• Support for cross-origin communication: SSE
enables cross-origin communication, enabling the
client to get updates from several domains or ori-
gins. The ability to stream data from a server that
is housed on a different domain or subdomain is
handy in such situations. Cross-origin resource shar-
ing (CORS) guidelines are followed by SSE to enable
safe connection between several sources.
• Automatic reconnection: SSE connections are du-
rable and can reestablish themselves if they are lost
codemag.com
Figure 1: Server-Sent Events in action
as a result of network problems or server restarts.
In order to maintain an uninterrupted stream of up-
dates without user intervention, the client will make
an effort to reconnect the connection. A strong and
dependable communication route is offered by the
automatic reconnection capability.
• Browser compatibility: SSE is supported by the major-
ity of current web browsers, including Chrome, Firefox,
Safari, and Edge. It performs effectively in settings like
limited networks or outdated browser versions where
WebSockets may not be accessible or permitted. When
WebSockets are not practical for real-time communica-
tion, SSE may be used as an alternative.
• Seamless integration: SSE is simple to incorpo-
rate into current web applications without requiring
significant infrastructure modifications. It makes
use of the already-existing HTTP infrastructure and
doesn't call for any new network settings or unique
server configurations. A number of server-side tech-
nologies, such as ASP.NET Core, Node.js, Django, and
others, support SSE.
For real-time changes in web applications, Server-Sent
Events provide a simple and effective option. Without the
complexity of conventional real-time protocols, they let
developers create responsive and engaging experiences, in-
crease server effectiveness, and increase user engagement.
Key Features of SSE
Some of the best features include:
• Unidirectional communication: SSE offers a serv-
er-to-client unidirectional communication channel.
In this type of communication, the server can trans-
mit data to a connected client, but the client can-
not send data back to a server.
• Text-based protocol: Because SSE is a text-based
protocol, messages are sent via HTTP in plain text,
which makes it simpler to debug and comprehend.
Fields like "event," "data," and "id," which are sent
as a string of text lines in the form of event fields,
make up an SSE message.
• Real-time updates: SSE enables servers to trans-
mit updates depending on server events, allowing
servers to provide event-driven updates to clients
in real-time. A particular event name, data related
to the event, and, optionally, an identity that may
Developing Real-Time Web Applications with Server-Sent Events in ASP.NET 7 Core 35
 be given to the event are typically included in all
updates. The client can listen for specific events or
receive all events sent by the server.
• Connection persistence: SSE creates a durable
HTTP connection between the client and server that
endures for the same amount of time as the client.
SSE maintains the connection open to permit con-
tinuous data streaming in the future, contrary to
conventional HTTP requests, which are transient and
are closed when a response has been received.
• Resilient: Because SSE connections are robust, if
the connection is lost, SSE will automatically re-
establish the connection. As soon as they become
disconnected, clients will make an effort to rejoin to
the server, ensuring that updates continue to flow
consistently and seamlessly.
• Cross-origin support: Support for cross-origin com-
munication: SSE allows for the client to receive up-
dates from a domain or origin other than the web-
site to which it is linked. You can configure cross-
origin resource sharing (CORS) rules on the server to
control access and security.
How Do Server-Sent Events Work?
Server-Sent Events (SSE) establish a long-lived connec-
tion between a server and its connected client. Once
this connection is established, the server communicates
event-driven changes to the client over a single HTTP
connection. Thanks to the SSE connection management
layer and parsing algorithms, a server can submit new
events one by one while HTTP responses can remain open.
Here are the series of steps that outline how SSE works:
1. Server-Sent Events (SSE) establishes a persistent
connection between a server and its client.
2. Once this connection is established, the server com-
municates event-driven changes to the client over a
single HTTP connection. As soon as the SSE connec-
tion is established, the server can start sending SSE
events to the client.
3. Once the server receives an SSE request, it processes
the request. Once processing is over, the server re-
sponds with the appropriate SSE headers.
4. Next, the server sets the response headers to indi-
cate that SSE events will follow.
5. When the client receives the SSE event, it extracts
the event fields and takes appropriate action based
on the data received.
Polling vs. Long Polling vs.
WebSocket vs. Server Sent Events
There are several techniques for real-time communication
between clients and servers. Each of these techniques has
its own characteristics and use cases. Polling and Long
Polling are simple to use but they aren't as efficient as
WebSocket and Server-Side Events. Here's how these tech-
niques compare and contrast against each other.
Polling
• Polling involves a client sending requests to the server
at regular intervals to check if there are any updates.
• On receiving the request, the server responds with
new data if one is available or an empty response if
no data has been updated.
36 Developing Real-Time Web Applications with Server-Sent Events in ASP.NET 7 Core
• You can leverage simple AJAX requests and page
reloads to implement polling in your applications.
• Clients repeatedly request updates even when there
are none, resulting in unnecessary network traffic
and increased server load.
• This approach is suitable for scenarios where updates
are infrequent or a real-time response is not a priority.
Long Polling
• Long polling reduces unnecessary requests to the
server and enables near real-time updates compared
to regular polling.
• Servers hold requests open until an update is available
rather than responding immediately to a client request.
• The server responds when an update is available.
Then, the client sends a new request to keep the
connection alive.
• When no updates are available within a particular time-
frame, the server responds with an empty response. The
client sends a new request and continues listening.
• Although long polling reduces the frequency of re-
quests and enables a real-time response, it still in-
volves frequent connections and overhead due to
request/response cycles.
WebSocket
• WebSocket enables communication between servers
and consumers over a single, persistent, reliable,
and full-duplex connection.
• Web Socket is ideally suited for applications requir-
ing continuous data transfers, such as chat applica-
tions and collaboration tools.
• Due to server-side infrastructure requirements, Web-
Socket isn’t supported in all legacy or restricted
environments such as older browsers and certain
network configurations.
Server-Side Events
• SSE provides a lightweight, unidirectional approach
to server-client communication over HTTP.
• Contrary to WebSockets, communication between
server and client in server-sent events runs in only
one direction, from server to client.
• SSE enables real-time updates without the complex-
ity of WebSockets.
• SSE is well suited for scenarios where communica-
tion is unidirectional, i.e., the server needs to for-
ward updates to clients, such as news feeds, notifi-
cations, or real-time monitoring dashboards.
Use Cases
WebSockets provide bidirectional communication between a
server and a client, which makes them suitable for real-time
polling apps, chat apps, etc. Server-Sent Events support a
unidirectional communication between client and server.
This means that the messages are transmitted in single direc-
tion only, i.e., from server to client. They are often used for
push notifications, news feeds, and other similar purposes.
Implementing SSE
The server must inform the client that the content type
of the response should be text/event-stream. Upon estab-
lishing a connection between the server and client, the
server keeps it active until HTTP requests are received.
codemag.com
Unless a timeout occurs or there are no further events from the messages the shared location. The key advantage
to process, the connection remains open. If a timeout of this pattern is that the producer and the consumer are
occurs, the client can reconnect to the server using the decoupled and disconnected from one another, in other
built-in reconnection mechanism. Figure 2 illustrates a words, they don't have any knowledge of the other.
typical implementation of a SSE server and client.
Creating the View
The first step is connecting to an EventSource, which Replace the source code of the Index.cshtml file with the
is accomplished by initializing an EventSource instance source code given in Listing 2.
with the URL of the stream to connect to. Under the
hood, EventSource connects to the server by sending an
HTTP request. The server responds to the request with a
stream of event data having text/event-stream as the
content type. Until the server determines there’s no more
data to send, or until the client actively closes the con-
nection using EventSource.close, the connection between
the server and client persists. A keep-alive message can
be sent every minute or so to avoid a timeout.

Building a Simple Application Using

SSE in ASP.NET 7 Core
It’s time for writing some code. Let’s now examine how to
build a simple ASP.NET Core 7 Web API application using
GraphQL.

Create a New ASP.NET Core 7 Project in Visual Studio 2022

You can create a project in Visual Studio 2022 in several
ways. When you launch Visual Studio 2022, you'll see the
Start window. You can choose "Continue without code"
to launch the main screen of the Visual Studio 2022 IDE. Figure 2: An implementation of SSE

To create a new ASP.NET Core 7 Project in Visual Studio

2022: Listing 1: The HomeController Class
using Microsoft.AspNetCore.Mvc;
1. Start the Visual Studio 2022 IDE. using System.Collections.Concurrent;
2. In the “Create a new project” window, select “ASP. using System.Text;
NET Core Web-App (Model-View-Controller)” and click using System.Text.Json;
Next to move on. namespace SSE_Demo.Controllers
3. Specify the project name as SSE_Demo and the path {
where it should be created in the “Configure your public class HomeController : Controller
{
new project” window. private readonly BlockingCollection<string> _producerConsumerCollection = new
4. If you want the solution file and project to be cre- BlockingCollection<string>();
ated in the same directory, you can optionally check public HomeController()
{
the “Place solution and project in the same direc- for (int i = 0; i < 10; i++)
tory” checkbox. Click Next to move on. {
5. In the next screen, specify the target framework and _producerConsumerCollection.Add(string.Format("The product code is: {0}\n",
Guid.NewGuid().ToString()));
authentication type as well. Ensure that the "Config- }
ure for HTTPS," and "Enable Docker Support" check- }
boxes are unchecked because you won’t use any of public ActionResult Index()
{
these in this example. return View();
6. Leave the “Do not use top-level statements” check- }
public ActionResult About()
box unchecked. {
7. Click Create to complete the process. return View();
}
public ActionResult GetMessage()
Creating the Controller {
Listing 1 contains the complete source code of the var result = string.Empty;
HomeController.cs file. var stringBuilder = new StringBuilder();
if (_producerConsumerCollection.TryTake(out result, TimeSpan.
In the code example given in Listing 1, the HomeCon- FromMilliseconds(1000)))
troller class uses a BlockingCollection to store items. A {
var serializedData = JsonSerializer.Serialize(new { message = result });
BlockingCollection is a thread-safe collection that follows stringBuilder.AppendFormat("data: {0}\n\n", serializedData);
the producer-consumer pattern and enables items to be }
added or removed from the collection concurrently. In a
return Content(stringBuilder.ToString(), "text/event-stream");
typical Producer Consumer pattern, the producer is respon- }
sible for generating messages and storing them in a shared }
location. You can then have multiple consumers reading }

codemag.com Developing Real-Time Web Applications with Server-Sent Events in ASP.NET 7 Core 37
 JOIN US at the 2ND ANNUAL

OCT 3-5, 2023 • MGM GRAND LAS VEGAS

CHARLES LAMANNA HEATHER COOK JULIE STRAUSS NIRAV SHAH

Corporate Vice President, Business Principal PM Manager, Dynamics General Manager, Power Platform Vice President, Microsoft
Applications & Platform, Microsoft 365 & Power Platform Pro Developer & Dataverse, Microsoft
Community Success, Microsoft Admin Experiences, Microsoft

RYAN CUNNINGHAM SANGYA SINGH STEPHEN SICILIANO KENDRA SPRINGER

Vice President Microsoft Power Apps, Vice President of Product, Vice President, Power Principal Design Lead for Power
Microsoft Power Pages. Microsoft Automate, Microsoft Virtual Agents and Conversational
AI, Microsoft

Opening Keynote & Attendee Party in Iconic Grand Garden Arena

• 156 In-Depth Sessions
• 5 Cutting Edge Keynotes
• 21 In-Depth Optional Workshops
• Community Power Platform Area
• Tuesday Evening Attendee Party
• Wednesday Evening Meetups

PowerPlatformConf.com #MPPC23
 Announcing Thursday’s Featured Guest Keynote

Adam Grant
Organizational psychologist at Wharton,
bestselling author of Think Again, and
host of the podcasts WorkLife & Re:Thinking

Full Conference Oct 3 – 5 with Optional Full Day

Deep Dive Workshops Oct 1, 2 & 6
Sunday, October 1, 2023
• 1 Day Dynamics 365
Marketing Training
• Build a Modern App with
Power Apps
• Learn How to Build PCF Controls
to Give Low-Code App Makers
Even More Power!
• Power Platform + List Formatting
Integrations Master Class
• Power Platform Administration
and Governance
• The New and Improved! PVA
Chatbot in a Day
• Using Human-Centered Design
Principles to Build Engaging
Solutions Across the
Power Platform
Monday, October 2, 2023
• Build an Immersive Customer Experience
Portal Using Power Pages
• Dataverse Essentials: Enabling Citizen &
Low-Code Makers to Build Your Next
Scalable Business Apps
• Empowering Robotic Process Automation
Enthusiasts: Harnessing the Potential of
Power Automate
• Everything You Wanted to Know About
Power BI... But Were Afraid to Ask!
• Build, Deploy, and Scale Power Apps!
• Power Platform Makeover: Designing
Pretty, Performant and Intuitive Solutions
• Unleash Your Inner App-Builder: Create a
Fully-Functional Inventory Management
App in One Day!
Friday, October 6, 2023
• Build Your Own Intelligent BOT
Using the New Power Virtual Agents
Authoring Canvas!
• Day After Dashboard in a Day with
Microsoft Fabric
• Empowering Makers: Exploring Copilot/
AI Capabilities in the Power Platform
• Mastering Model-Driven Power Apps:
From Beginner to App Maker
• Power Automate Cloud Flows
Hands-on Workshop
• Power Pages Advanced Workshop
• Power Up Skills with Power BI
• Unlocking EfÀciency and Automation
Potential With Power Automate
Process Mining

Register Today with Discout Code: CODEAD100

(Discount is for New Registrations Only. Not Retroactive)
 The EventSource instance establishes a persistent connec-
tion to an HTTP server in order to receive these events sent
by the server in a text/event-stream format. The connection
between the client and the server will stay open until closed
by calling the EventSource.close() method. When you ex-
ecute the application, the product codes generated by your
controller will be displayed in the user interface. Figure 3
shows the product codes as displayed in the web browser.
Building a Real-Life Application
Using SSE in ASP.NET Core 7
In this section, we’ll examine how to build an application
that sends out notifications to the connected clients at
regular intervals of time. A scheduler runs in the back-
ground and pulls records from the database at pre-defined
intervals of time. This data is then pushed to the connect-
ed clients using SSE. Figure 4 captures the complete flow.

Listing 2: The Index.cshtml file Now that we know the flow of the application, let’s exam-
@{ ine the components of the application.
ViewBag.Title = "Home Page";
} Application Components
<script>
function display() { In this application, there are three projects involved:
var source = new EventSource('/home/getmessage');
var ul = document.getElementById("sse"); • SSE_Server
source.onmessage = function (e) { • SSE_Client
var li = document.createElement("li");
var retrievedData = JSON.parse(e.data) • SSE_Scheduler
li.textContent = retrievedData.message;
ul.appendChild(li); Figure 5 shows the components of the application together
}
} with the classes and interfaces used to build the components.
window.addEventListener("DOMContentLoaded", display, false);
</script> As evident from their names, SSE_Server is the server proj-
<ul id="sse">
</ul> ect that sends out messages when requested for all con-
nected clients. SSE_Client is the client project that con-
nects to the server to retrieve messages. SSE_Scheduler is
used to send data to the server at regular intervals of time.

After a client has established a connection with the serv-

er, it calls the Subscribe method of the server to subscribe
to notifications. Once this process is successful, the cli-
ent can invoke either the GetMessage(id) to retrieve a
message pertaining to a particular client or the GetMes-
sages() method to retrieve all messages from the server.

In the sections that follow, you’ll create the classes and

interfaces for each of these projects mentioned earlier. I’ll
mention the class and interface names together with the
name of the project they belong to.

Create the Notification Class (SSE_Scheduler)

Create a new class named Notification in a file having the same
Figure 3: The product codes generated by the controller are displayed in the web browser. name with a .cs extension and write the following code in there:

public class 1RWLÀFDWLRQ

{
public string Id { get; set; }
public string Message { get; set; }
public DateTime MessageTime
{ get; set; } = DateTime.Now;
}

Create the INotificationRepository Interface (SSE_Scheduler)

Create a new .cs file named INotificationRepository in
your project and replace the default generated code with
the following code snippet:

public interface ,1RWLÀFDWLRQ5HSRVLWRU\

{
public7DVN/LVW1RWLÀFDWLRQ!!*HW1RWLÀFDWLRQV 
public7DVN1RWLÀFDWLRQ!
*HW1RWLÀFDWLRQ(string Id);
public Task $GG1RWLÀFDWLRQ
 1RWLÀFDWLRQQRWLÀFDWLRQ 
Figure 4: The complete flow of the custom Notification Application }

40 Developing Real-Time Web Applications with Server-Sent Events in ASP.NET 7 Core codemag.com
Create the NotificationRepository Class (SSE_
Scheduler)
The NotificationRepository class implements the methods
of the INotificationRepository interface. Create a new
class named NotificationRepository in a file having the
same name with a .cs extension. Now write the source
code given in Listing 3 in there.

Register the NotificationRepository instance (SSE_Scheduler)

The following code snippet illustrates how an instance
of type INotificationRepository is added as a singleton
service to the IServiceCollection.

builder.Services.AddSingleton
,1RWLÀFDWLRQ5HSRVLWRU\
1RWLÀFDWLRQ5HSRVLWRU\! 

You’ll now create a hosted service in the scheduler project that

reads messages from the repository and pushes them to the
server after every n seconds. In this example, the value of n
is hard-coded as 60. You can change it per your requirements.

Create the Hosted Service (SSE_Scheduler)

To create a custom hosted service, create a class that
implements the IHostedService interface. It should con-
tain definitions for the StartAsync and StopAsync meth-
ods. Listing 4 shows the complete source code of the
CustomHostedService class. Figure 5: The components of the application

Register the CustomHostedService instance

The following code snippet illustrates how the hosted ser- public interface ICustomMessageQueue
vice is registered. {
void Register(string id);
builder.Services.AddHostedService void Deregister(string id);
<CustomHostedService>(); ICollection<string> Keys { get; }
IAsyncEnumerable<string>
The Program.cs file (SSE_Scheduler) DequeueAsync(string id,
Because you’re using ASP.NET Core 7 in this example, all code CancellationToken
necessary to add services to the container and configure the cancelToken = default);
request processing pipeline should reside in the Program.cs IAsyncEnumerable<string>
file. Listing 5 shows the complete source code of the Pro- DequeueAsync(CancellationToken
gram.cs file of the SSE_Scheduler project for your reference. cancelToken = default);
7DVN(QTXHXH$V\QF 1RWLÀFDWLRQ
Create the Message Queue (SSE_Server) QRWLÀFDWLRQ&DQFHOODWLRQ7RNHQ
The following code snippet shows the ICustomMessage- cancelToken);
Queue interface: }

Listing 3: The NotificationRepository Class

public class 1RWLÀFDWLRQ5HSRVLWRU\ : ,1RWLÀFDWLRQ5HSRVLWRU\
{ public async7DVN/LVW1RWLÀFDWLRQ!!*HW1RWLÀFDWLRQV
private/LVW1RWLÀFDWLRQ! {
BQRWLÀFDWLRQV new/LVW1RWLÀFDWLRQ!  return await7DVN)URP5HVXOW BQRWLÀFDWLRQV 
}
public 1RWLÀFDWLRQ5HSRVLWRU\()
{ public async7DVN1RWLÀFDWLRQ!*HW1RWLÀFDWLRQ(string Id)
BQRWLÀFDWLRQV$GG new1RWLÀFDWLRQ {
{ return await7DVN)URP5HVXOW BQRWLÀFDWLRQV
Id = "1", FirstOrDefault(x => x.Id == Id));
Message = 7KLVLVWKHÀUVWPHVVDJH, }
MessageTime = DateTime.Now
}); public async Task $GG1RWLÀFDWLRQ
 1RWLÀFDWLRQQRWLÀFDWLRQ
BQRWLÀFDWLRQV$GG new1RWLÀFDWLRQ {
{ BQRWLÀFDWLRQV$GG QRWLÀFDWLRQ 
Id = "2", }
Message = "This is the second message", }
MessageTime = DateTime.Now
});
}

codemag.com Developing Real-Time Web Applications with Server-Sent Events in ASP.NET 7 Core 41
 Listing 4: The CustomHostedService Class
public sealed class CustomHostedService : *HW1RWLÀFDWLRQV 5HVXOW
IHostedService, IAsyncDisposable
{ IRUHDFK YDUQRWLÀFDWLRQLQQRWLÀFDWLRQV
private readonly {
,1RWLÀFDWLRQ5HSRVLWRU\ LI QRWLÀFDWLRQ,V3URFHVVHG
BQRWLÀFDWLRQ5HSRVLWRU\ {
private Timer? _timer; HttpContent body =
public CustomHostedService new StringContent(JsonSerializer.
 ,1RWLÀFDWLRQ5HSRVLWRU\QRWLÀFDWLRQ5HSRVLWRU\ 6HULDOL]H QRWLÀFDWLRQ 
 !BQRWLÀFDWLRQ5HSRVLWRU\ QRWLÀFDWLRQ5HSRVLWRU\ Encoding.UTF8, "application/json");
YDUUHVSRQVH FOLHQW3RVW$V\QF DSLQRWLÀFDWLRQ
public async Task StartAsync "postmessage", body).Result; }
(CancellationToken cancellationToken) }
{ }
_timer = new Timer(SendMessage, null, public async Task StopAsync
TimeSpan.Zero, TimeSpan.FromSeconds(60)); (CancellationToken cancellationToken)
} {
private void SendMessage(object? state) await Task.Delay(TimeSpan.FromSeconds(60), cancellationToken);
{ }
using var client = new HttpClient(); public async ValueTask DisposeAsync()
new Uri("http://localhost:5101/" + {
DSLQRWLÀFDWLRQ  _timer.Dispose();
YDUQRWLÀFDWLRQV  }
QRWLÀFDWLRQ5HSRVLWRU\ }

Listing 5: The Program.cs file of SSE_Scheduler Project

var builder = WebApplication.CreateBuilder(args); <CustomHostedService>();
var app = builder.Build();
// Add services to the container.
&RQÀJXUHWKH+773UHTXHVWSLSHOLQH
builder.Services.AddControllers();
app.UseAuthorization();
builder.Services.AddSingleton
,1RWLÀFDWLRQ5HSRVLWRU\ app.MapControllers();
1RWLÀFDWLRQ5HSRVLWRU\! 
builder.Services.AddHostedService app.Run();

Listing 6: The CustomMessageQueue Class

public class CustomMessageQueue : ICustomMessageQueue $"Error encountered " +
{ $"when adding a new message to the queue."); );
private ConcurrentDictionary }
<string, Channel<string>> else
_concurrentDictionary; {
await channel.Writer.
public CustomMessageQueue() :ULWH$V\QF QRWLÀFDWLRQ
{ Message, cancelToken);
_concurrentDictionary = }
new ConcurrentDictionary<string, }
Channel<string>>();
} public IAsyncEnumerable<string>
DequeueAsync(string id,
public void Register(string id) CancellationToken cancelToken = default)
{ {
bool success = bool success =
_concurrentDictionary.TryAdd _concurrentDictionary.TryGetValue
(id, Channel.CreateUnbounded<string>()); (id, out Channel<string> channel);
if (!success) if (success)
{ {
throw new ArgumentException return channel.Reader.
($"The client Id {id} is already registered"); ReadAllAsync(cancelToken);
} }
} else
{
public ICollection<string> Keys throw new ArgumentException
{ ($"The client Id {id} isn't registered");
get { return _concurrentDictionary.Keys; } }
} }
public void Deregister(string id)
{ public async IAsyncEnumerable<string> DequeueAsync(CancellationToken
_concurrentDictionary.TryRemove(id, out _); cancelToken = default)
} {
IAsyncEnumerable<string> result;
public async Task EnqueueAsync
1RWLÀFDWLRQQRWLÀFDWLRQ foreach (var keyValuePair in
CancellationToken cancelToken) _concurrentDictionary)
{ {
bool success = _concurrentDictionary.TryGetValue( await foreach (string str in DequeueAsync(keyValuePair.Key,
QRWLÀFDWLRQ,G cancelToken))
out Channel<string> channel {
); yield return str;
}
if (!success) }
{ }
throw new ArgumentException( }

42 Developing Real-Time Web Applications with Server-Sent Events in ASP.NET 7 Core codemag.com
 Listing 7: The Subscribe Method
public async Task<IActionResult> Subscribe(string id) await foreach (var message
{ in _messageQueue.DequeueAsync
Response.StatusCode = 200; (id, HttpContext.RequestAborted))
Response.Headers.Add("Cache-Control", "no-cache"); {
Response.Headers.Add("Connection", "keep-alive"); await streamWriter.WriteLineAsync
Response.Headers.Add("Content-Type", ($"Message received: " +
"text/event-stream"); $"{message} at {DateTime.Now}");
await streamWriter.FlushAsync();
try }
{ }
1RWLÀFDWLRQQRWLÀFDWLRQ  catch (Exception ex)
new1RWLÀFDWLRQ  {
QRWLÀFDWLRQ,G LG return BadRequest(ex.Message);
QRWLÀFDWLRQ0HVVDJH $"Subscribed to" + }
$" client {id}"; ÀQDOO\
_messageQueue.Register(id); {
StreamWriter streamWriter = _messageQueue.Deregister(id);
new StreamWriter(Response.Body); }
await _messageQueue.EnqueueAsync
 QRWLÀFDWLRQ return Ok();
HttpContext.RequestAborted); }

The CustomMessageQueue class implements the methods Listing 8: The PostMessage Action Method
of the ICustomMessageQueue interface. The code list- public async Task<IActionResult> PostMessage
ing given in Listing 6 shows the CustomMessageQueue >)URP%RG\@1RWLÀFDWLRQQRWLÀFDWLRQ
class. {
try
{
Install NuGet Package(s) BPHVVDJH4XHXH5HJLVWHU QRWLÀFDWLRQ,G 
So far so good. The next step is to install the necessary await _messageQueue.EnqueueAsync
NuGet Package(s). To install the required packages into QRWLÀFDWLRQ+WWS&RQWH[W5HTXHVW$ERUWHG 
your project, right-click on the solution and the select return Ok();
}
Manage NuGet Packages for Solution…. Now search for catch (Exception ex)
the package named Lib.AspNetCore.ServerSentEvents in {
the search box and install it. Alternatively, you can type return BadRequest(ex.Message);
the command shown below at the NuGet Package Manager }
Command Prompt: }

PM> Install-Package
Lib.AspNetCore.ServerSentEvents

Alternatively, you can install these packages by executing

the following commands at the Windows Shell:

dotnet add package

Lib.AspNetCore.ServerSentEvents

Create the NotificationController Class (SSE_Server)

The NotificationController provides action methods that
clients can invoke. A client can subscribe to the server to
receive messages. The following code snippet shows the
Subscribe method that accepts a client ID as a parameter. Figure 6: The SSE Client having Id 1 is now subscribed to receive messages from the server.

Listing 9: The GetMessage(string) Action Method

public async Task<IActionResult> GetMessage(string id) }
{ }
Response.ContentType = "text/event-stream"; catch (Exception ex)
{
try return BadRequest(ex.Message);
{ }
StreamWriter streamWriter = ÀQDOO\
new StreamWriter(Response.Body); {
await foreach (var message in _messageQueue.Deregister(id);
_messageQueue.DequeueAsync }
(id, HttpContext.RequestAborted))
{ return Ok();
await streamWriter.WriteLineAsync }
($"{DateTime.Now} {message}");
await streamWriter.FlushAsync();

codemag.com Developing Real-Time Web Applications with Server-Sent Events in ASP.NET 7 Core 43
 Listing 10: The GetMessages Action Method
public async Task<IActionResult> GetMessages() _messageQueue.DequeueAsync())
{ {
Response.Headers.Add("Content-Type", await streamWriter.WriteLineAsync
"text/event-stream"); ($"{DateTime.Now} {message}");
Response.Headers.Add("Cache-Control", await streamWriter.FlushAsync();
"no-cache"); }
Response.Headers.Add("Connection",
"keep-alive"); return Ok();
Response.StatusCode = 200; }
catch (Exception ex)
try {
{ return BadRequest(ex.Message);
StreamWriter streamWriter = }
new StreamWriter(Response.Body); }
await foreach (var message in

Listing 11: The NotificationController Class

[Route("api/[controller]")] {
[ApiController] StreamWriter streamWriter =
public class 1RWLÀFDWLRQ&RQWUROOHU : ControllerBase new StreamWriter(Response.Body);
{ await foreach (var message
private readonly ICustomMessageQueue _messageQueue; in _messageQueue.DequeueAsync(id))
public 1RWLÀFDWLRQ&RQWUROOHU {
(ICustomMessageQueue messageQueue) await streamWriter.WriteLineAsync(
{ $"Client Id: {id} Message: {message}" +
_messageQueue = messageQueue; $" Time: {DateTime.Now}");
} await streamWriter.FlushAsync();
}
[HttpGet("subscribe/{id}")] }
public async Task<IActionResult> Subscribe(string id) catch (Exception ex)
{ {
Response.StatusCode = 200; return BadRequest(ex.Message);
Response.Headers.Add("Cache-Control", }
"no-cache"); ÀQDOO\
Response.Headers.Add("Connection", {
"keep-alive"); _messageQueue.Deregister(id);
Response.Headers.Add("Content-Type", }
"text/event-stream");
return Ok();
try }
{
1RWLÀFDWLRQQRWLÀFDWLRQ new1RWLÀFDWLRQ  [HttpGet("getmessages")]
QRWLÀFDWLRQ,G LG public async Task<IActionResult> GetMessages()
{
QRWLÀFDWLRQ0HVVDJH $"Subscribed to " + Response.Headers.Add("Content-Type", "text/event-stream");
$"client {id}"; Response.Headers.Add("Cache-Control", "no-cache");
Response.Headers.Add("Connection", "keep-alive");
_messageQueue.Register(id); Response.StatusCode = 200;
StreamWriter streamWriter =
new StreamWriter(Response.Body); try
await _messageQueue.EnqueueAsync {
QRWLÀFDWLRQ+WWS&RQWH[W5HTXHVW$ERUWHG  StreamWriter streamWriter =
new StreamWriter(Response.Body);
await foreach ( await foreach (var message in
var message in _messageQueue.DequeueAsync _messageQueue.DequeueAsync())
(id, HttpContext.RequestAborted) {
) await streamWriter.WriteLineAsync
{ ($"{DateTime.Now} {message}");
await streamWriter.WriteLineAsync await streamWriter.FlushAsync();
($"Message received: {message} at {DateTime.Now}"); }
await streamWriter.FlushAsync();
} return Ok();
} }
catch (Exception ex) catch (Exception ex)
{ {
return BadRequest(ex.Message); return BadRequest(ex.Message);
} }
ÀQDOO\ }
{
_messageQueue.Deregister(id); [HttpPost]
} [Route("[action]")]
public async Task<IActionResult>
return Ok(); PostMessage >)URP%RG\@1RWLÀFDWLRQQRWLÀFDWLRQ
} {
try
[HttpGet("getmessage/{id}")] {
public async Task<IActionResult> BPHVVDJH4XHXH5HJLVWHU QRWLÀFDWLRQ,G 
GetMessage(string id) await _messageQueue.EnqueueAsync
{ QRWLÀFDWLRQ+WWS&RQWH[W5HTXHVW$ERUWHG 
Response.StatusCode = 200; return Ok();
Response.Headers.Add("Cache-Control", }
"no-cache"); catch (Exception ex)
Response.Headers.Add("Connection", {
"keep-alive"); return BadRequest(ex.Message);
Response.Headers.Add("Content-Type", }
"text/event-stream"); }
}
try

44 Developing Real-Time Web Applications with Server-Sent Events in ASP.NET 7 Core codemag.com
 Listing 12: The Program.cs file of the SSE Console Client Application
HttpClient client = new HttpClient();
client.Timeout = TimeSpan.FromSeconds(60);
string url = $"http://localhost:5101/" +
DSLQRWLÀFDWLRQVXEVFULEH;
while (true)
{ }
try
{ catch (Exception ex)
Console.WriteLine("Establishing connection" +
" with the server.");
using (var streamReader =
new StreamReader(await client.GetStreamAsync(url)))
It then creates an instance of the Notification class and
populates it with the client ID and a text message. This
message is sent to the client to inform that it has been
successfully subscribed to the server. The EnqueueAsync
method is used to register the client.
Listing 7 shows the source code of the Subscribe action
method.
The Scheduler posts messages to the server at pre-defined
intervals of time by calling the PostMessage action meth-
od. Listing 8 contains the source code of the PostMes-
sage action method.
Refer to the GetMessage(string id) and GetMessages()
methods. Although the GetMessage(string id) method
is used to retrieve message pertaining to a registered
client, the GetMessages() method returns all messag-
es pertaining to all clients available in the message
queue.
Listing 9 contains the code listing for the GetMessage
(string id) method. Listing 10 shows the GetMessages()
method that returns all messages in the message queue.
Listing 11 provides the complete source code of the Noti-
ficationController class.
Create a New Console Application Project in Visual
Studio 2022
Let's create a console application project in Visual Studio
2022 that you'll use for building the client application.
When you launch Visual Studio 2022, you'll see the Start
window. You can choose Continue without code to launch
the main screen of the Visual Studio 2022 IDE.
To create a new Console Application project in Visual Stu-
dio 2022 Preview:
1. Start Visual Studio 2022.
2. In the Create a new project window, select Console
App, and click Next to move on.
3. Specify the project name as SSE_Client and the path
where it should be created in the Configure your new
project window.
4. If you want the solution file and project to be cre-
ated in the same directory, you can optionally check
the Place solution and project in the same directory
checkbox. Click Next to move on.
5. In the next screen, specify the target framework you
would like to use for your console application.
6. Click Create to complete the process.
codemag.com
{
while (!streamReader.EndOfStream)
{
var message =
await streamReader.ReadLineAsync();
Console.WriteLine(message);
}
}
{
throw;
}
}
Figure 7: The text message for client 1 is displayed at the console window of the SSE_
Client project.
Create a Console Client (SSE_Client)
The code given in Listing 12 shows the console client
that would be used to connect to the SSE service, retrieve
messages, and then display them at the console window.
Executing the Application
Start the SSE_Server project followed by the SSE_Client
console project. Figure 6 shows how the client has sub-
scribed to receive messages from the server.
Change the URL in the console project to the following:
string url = $"http://localhost:5101/" +
DSLQRWLÀFDWLRQJHWPHVVDJH
Now, run the three projects SSE_Server, SSE_Scheduler,
and SSE_Client in this order.
Figure 7 shows the message for client 1 displayed at the
console.
Conclusion
SSE enables you to send notifications from an SSE server
to the connected clients whenever an event occurs. Con-
trary to traditional polling techniques, SSE is beneficial
because the server notifies the connected clients only
when an event occurs. If you need bidirectional commu-
nication between a server and its clients, you should use
WebSockets instead.
Joydip Kanjilal
Developing Real-Time Web Applications with Server-Sent Events in ASP.NET 7 Core 45
 ONLINE QUICK ID 2309061
Getting Started with AI Copilots
in Your Own Applications
Applications without Copilots are now legacy! I have now made this statement on a number of occasions, and it’s become
somewhat of a battle-cry within the CODE organization. Some might find the statement a bit strong or premature, but I feel
that as we push forward, this is indeed how we have to approach software development from now on. How did we get here?
Markus Egger
[email protected] about is artificial intelligence! I’ve explained generative AI
Markus is the founder and
publisher of CODE Magazine
and is EPS President and
Chief Software Architect.
He is also a Microsoft RD
(Regional Director) and the
one of the longest (if not THE
longest) running Microsoft
MVP (Most Valuable Profes-
sional). Markus is also a
renowned speaker and author.
Markus’ client list contains
some of the world’s larg-
est companies, including
many on the Fortune 500.
Markus has been published
extensively including MSDN
Magazine, Visual Studio
Magazine, his own CODE
Magazine, and much more.
Markus focuses on develop-
ment in .NET (Windows,
Web, Windows Phone, and
WinRT) as well as Android
and iOS. He is passionate
about overall application
architecture, SOA, user
interfaces, general develop-
ment productivity, and
building maintainable and
reusable systems.
46 Title article
Just a few months ago it seems that statements like this
would not only have been preposterous, but nobody would
have even known what I’m talking about. Then, OpenAI
released ChatGPT at the end of November 2022 and GPT-4
in March of 2023. These artificial intelligence (AI) products
not only took most of the tech world by surprise, but they
captured the imagination of people who normally don’t
take an interest in software products. All of a sudden, I’d
go to a BBQ with people who had no connection to the
software industry, and all they would want to talk to me
code application needs to be created, you can have the AI
to retired people, hairdressers, and journalists. I’ve held ex-
ecutive briefings showing some of America’s largest compa-
nies how this technology can elevate what they are doing.
It seems to not matter how technical a person is; everyone
is fascinated by AI (and at times, also a little afraid).
I haven’t seen anything like this since the earlier days
of the internet, except this happened much faster. Much
faster! In fact, ChatGPT is the fastest adopted product
of all times (at least outside of China) gaining millions
of users in a matter of days. Yet one can argue whether
it’s even a “product” or whether it’s “just a tech demo.”
Perhaps the truth lies somewhere in between.
Whatever the case may be, one thing is clear: ChatGPT as
a product is not the grand vision. Instead, the technol-
ogy of what powers ChatGPT—the large language models
(LLMs) that OpenAI created—are the basis for a com-
pletely new generation of software that, for the first time
in any modern developer’s career, completely changes how
we write programs and interact with computers. We move
from a model of clear and unambiguous instructions that
we code into software and that results in very predictable
and meticulously orchestrated results, to a fuzzier, but
orders of magnitude, more powerful paradigm. We now
interact with software much more like we would interact
with a human. The interaction is rich and powerful, but
also, at times, somewhat unpredictable.
Many Copilot/AI features in modern
applications would have been
considered science fiction just
a few months ago.
It isn’t just my friends and neighbors who got inspired by
this rapid new development. Microsoft is invested in OpenAI
and has to be given a lot of credit for seeing the poten-
tial in LLMs. Microsoft is the first company to use this new
paradigm and places LLMs at the base of pretty much any
upcoming Microsoft product, whether you are an Office user,
or whether you are a system administrator concerned with
security, or anything in between. For instance, you’ll be able
to use AI built into MS Teams to provide you with a sum-
mary of a meeting you missed. You can then have the same
AI create a to-do list based on the decisions made in that
meeting. You can also have that UI create a PowerPoint pre-
sentation or a Word document based on what was discussed.
Perhaps if one of the discussion points was that a new low-
create a Power Platform application that satisfies the crite-
ria. And most of the time, the AI will be able to do it better
than most human users. And if not, then you either interfere
by hand or ask the AI to change something. You can do all
of that in plain English or any other language of your choice.
We refer to this approach as an AI “Copilot.” The AI is not
autonomous. The AI does not take over. But it’s always
there to assist you and do what you want, even if you’re
not a programmer or don’t even express yourself particu-
larly well or accurately. Welcome to the Age of Copilot!
This may sound like science fiction, and half a year ago it
would have been, but this is now concrete reality.
Copilots are not only for Microsoft applications. Copilots
are a new application paradigm (just like Windows was
once a new paradigm over command line interfaces or the
web was a new paradigm over desktop apps). It’s hard to
imagine an application that can’t benefit from the Copi-
lot paradigm. Having built a number of business applica-
tions with Copilot features, I can testify to the enormous
productivity increase this provides. (Even though we are
arguably just scratching the surface.) Applications sup-
porting this new paradigm have a considerable benefit
over apps that don’t. Conversely, applications that do not
have such features, even if they’re dominant players in
their market segments today, will find themselves leap-
frogged and made obsolete. It’s an enormous opportunity
but can be a great danger for those who “miss the boat.”
It’s an enormous opportunity
but can be a great danger
for those who “miss the boat.”
And that’s why we consider applications without Copi-
lot features to be legacy applications. The good news
is that it’s often not all that hard to add Copilot fea-
codemag.com
tures to existing applications (unlike previous paradigm
shifts, where we had to abandon DOS-based apps when
we moved to Windows, and then abandoned them again
when we moved to the Web, and then do it all over again
for Mobile apps). In this article, I aim to explain some of
the basics that are required to engage in this journey as
a developer. Just like Windows development couldn’t be
explained in a single article to a mainframe developer, I
won’t be able to explain this type of AI-driven develop-
ment in a single article. However, I hope to at least give
you a solid start.
I also invite you to check out many of the other resources
we make available, such as our free State of .NET and
CODE Presents webinars, our training videos and classes,
CODE Executive Briefings (www.codemag.com/Executiv-
eBriefing), as well as our blog on www.codemag.com/
blog, which all cover many of these topics. And feel free
to email me (or CODE in general:
[email protected]
). to send some text to the model and ask it to “complete
It all starts with understanding OpenAI.
Getting Started with (Azure) OpenAI
In the July/August 2023 issue of CODE Magazine, Sahil
Malik and Wei-Meng Lee both wrote articles explaining
the fundamentals of OpenAI’s large language models
(LLMs) and even showed how to write your own code to
call these AI models. Today, we’ll take this a step further.
But before we can run, we need to walk, so let’s start with
a fundamental example.
OpenAI’s LLMs are currently the most talked about and
accessible, and for good reason. (There are others, and
we expect this to become a large ecosystem of compet-
ing and cooperating LLMs). The OpenAI models are very
powerful and enable impressive scenarios. One of them
is their own implementation at https://chat.openai.com,
which is what people generally refer to as “ChatGPT.” I
like to think of that site mainly as a tech-demo for this
powerful new development paradigm. (Which isn’t en-
tirely accurate, as OpenAI is developing it into more and
more of an extensible platform in its own right). Behind
this chatbot interface sit OpenAI services, which provide
a list of multiple individual LLMs that all have their own
strengths and weaknesses. We can use those in our own
applications as well.
There are two fundamental ways to call OpenAI servic-
es. One is through OpenAI directly (which is what Sahil
and Wei-Meng showed in their articles), and the other is
through Microsoft’s version called “Azure OpenAI.” The
two approaches are very similar (and the code practically
identical), so why choose one over the other? That’s an
excellent question and perhaps the answer isn’t entirely
clear at this point. You can use both approaches and fol-
low the examples in this article very closely. For instance,
if you sign up for OpenAI directly (which you can do on
https://platform.openai.com), you can then explore the
APIs, sign up for a subscription (yes, this costs money,
but not very much; you can fiddle with it for quite a while
and probably spend less than a dollar), play with exam-
ples, or write code like the following Python example:
import os
import openai
codemag.com
openai.api_type = "open_ai"
openai.api_base = "https://api.openai.com/v1"
openai.api_version = ""
openai.api_key = "<YOUR API KEY>"
os.environ["OPENAI_API_KEY"] = openai.api_key
response = openai.Completion.create(
engine="text-davinci-003",
prompt="Please tell me a story.",)
print(response.choices[0].text)
This example is straightforward. It pulls in an “openai”
client package, which then gets configured to access the
OpenAI API subscription (make sure you put in your own
API key). The most important part is the call to “openai.
Completion.create().” The completions API allows you
it.” In other words, you send it a prompt and ask it to
respond. Everything you do with LLMs revolves around More Information
“completing text,” whether it’s a simple completion as in
this example, or whether it’s a series of back-and-forth CODE has recently done
completions, which you then perceive as a chat or a dia- quite a number of free
log. You could also ask the AI to return different versions online webinars that cover
of a completion, which are called “choices,” but in most AI and, specifically, the
use of OpenAI’s LLMs in
scenarios, you just want a single version, hence we can
development scenarios.
simply retrieve the first (and only) choice.
We recommend checking
out recent State of .NET
presentations (codemag.com/
StateOfDotNet) as well as
It's OpenAI’s job to train models. our CODE Presents webinar
series (codemag.com/
It’s Microsoft’s job to integrate AI
CodePresents).
with all kinds of other services,
Also, take a look at our
such as databases and security. blogs, which include one
That’s why I like using Azure OpenAI. dedicated to AI. Check it out
at codemag.com/Blog/AI.
This example could be used almost unchanged running
against Azure OpenAI. You’d simply change the API type
to access Azure and point the base URL at the Azure
resource you want to use (see below). No further code
change is required. I like using Azure OpenAI. If you al-
ready have an Azure OpenAI account, you can simply add
an OpenAI resource the same exact way as you would
create any other Azure resource (such as a web app or
a database). One of the benefits through Azure is that
you will be billed as part of your overall Azure invoice.
I find that, especially for serious usages and enterprise
scenarios, it’s nice to have everything available and man-
ageable in one place.
Another difference between Azure OpenAI and direct Open-
AI is that the OpenAI organization is a provider of AI
models, while Microsoft is a provider of many different
Cloud services that form a coherent whole. It isn’t Open-
AI’s purpose or job to integrate their AI models with
other things, such as security, other cognitive services,
search, databases, or many other things. OpenAI focuses
entirely on creating and evolving AI. Microsoft’s purpose,
on the other hand, is to not worry about those details,
but to provide a large platform, of which one puzzle piece
is LLMs. The difference may not be immediately apparent,
Getting Started with AI Copilots in Your Own Applications 47
 but we’re now starting to see more and more integration
across Azure offerings. For instance, we’ll see, later in
this article, that, through Azure, it’s possible to directly
integrate things like Azure Cognitive Search, Blob Stor-
age, and more, into the use of LLMs.
On a sidenote: The first question almost every customer asks
me when it comes to incorporating LLMs into their own sys-
tems is whether their data is secure. After all, if you just
type a question into chat.openai.com, whatever you type
in is not kept private. Instead, it’s used to further train
OpenAI’s models. (Remember: It’s OpenAI’s main purpose
to push the development of better and better AI models).
OpenAI states that this is not the case for their paid offer-
ings (a statement I personally trust) but it’s apparent that
businesses trust Microsoft more (after all, they would have
much to lose and little to gain by not keeping customer data
secure and private). Microsoft guarantees that data won’t be
used for training (or anything else). Many businesses are al-
ready comfortable putting SQL Server (and many other forms
of data) into the Azure Cloud, and this equation essentially
remains the same if you use Azure’s OpenAI services.
Using Azure OpenAI, your data
remains secure and private.
Assuming that you want to go the Azure route, you can
set up an Azure OpenAI resource and run the previous Py-
thon example unchanged, once you point it to the Azure
URLs and provide an Azure API Key. Just like OpenAI
directly, Azure OpenAI can be called in different ways,
including through the Python SDK. You could also make
direct HTTP requests (it’s a REST-based API, after all). In
addition, because you’re now in the Microsoft world, .NET
client-packages are provided for easy access from .NET
languages. I find that to be an extremely compelling fea-
ture because AI is often built into existing applications to
significantly enhance their usefulness, and many of those
applications are written in languages other than Python.
The following is a C# example that uses the Azure OpenAI
services to perform the equivalent tasks of the Python
example above.
using Azure;
using Azure.AI.OpenAI;
var client = new OpenAIClient(
new Uri("https://<APP>.openai.azure.com/"),
new AzureKeyCredential("<YOUR API KEY>"));
var response = await client.GetCompletionsAsync(
"ChatBot",
"Please tell me a story.");
Console.WriteLine(response.Value.Choices[0].Text);
As you can see, the code is very similar. In fact, I find
the programming language used to call these kinds of AI
services to be almost irrelevant. If the language can make
HTTP calls, you’re good to go.
48 Getting Started with AI Copilots in Your Own Applications
There are a few aspects of the C# example worth pointing
out: Note that the URL for the Azure OpenAI service is
exposed as defined for my deployment specifically (unlike
the direct OpenAI endpoints, which are the same for ev-
eryone and every use). As with everything in Azure, when
you create an OpenAI resource, you specify the name as
well as the deployment location. Azure gives you com-
plete control over what region you’d like to deploy to
(so if you have a legal or logistical reason to keep your
AI service in a specific geographic region, you can do so
through Azure OpenAI). Furthermore, you can create your
own named deployments of LLMs. For instance, if you
need a model that can generate marketing text, you could
create a deployment called “Marketing Model” and then
choose which actual model that maps to (such as “text-
davinci-003”) and evolve that over time as more powerful
models become available, without having to change your
source code that accesses such a model. Nice! (In this
example, I deployed a GTP3.5 model and called it “Chat-
Bot.” See below for more details.)
A Simple Chat Example
Usually, the first implementation all our customers ask us
to create is a chatbot, similar to chat.openai.com, but
completely secure, so employees can use this kind of fea-
tures set without giving away company secrets (as has
accidently happened with Samsung. You might want to
Google that). This is also a great example to go beyond
the very basics of OpenAI LLMs, as it shows a chain of
interaction.
To get started with a chatbot using Azure OpenAI, you
first must create an Azure OpenAI resource through the
Azure Portal (https://portal.azure.com), as shown in Fig-
ure 1. (Note: If you’d rather follow this example using
OpenAI directly, you can follow all the concepts presented
here, although the code will be different as the REST API
will have to be used low-level). The user interface and
flow for this is very similar to creating other resources
in Azure (such as App Services). Currently, there aren’t a
lot of options or settings. The most important one is the
name of the resource, which also defined the “endpoint”
(the URL) of your OpenAI resource. Creating a new Azure
OpenAI resource automatically creates API keys, which
can be accessed through the Azure Portal (you’ll need this
a bit further down).
It's interesting that it’s possible to select which region
(and therefore, which data center and which geographic
location) the service is to be deployed to (this is espe-
cially important if you have a legal requirement to run
your AI in regions such as the European Union).
Note that as I’m writing this article, the list of available
regions is somewhat limited. This is simply a resource
limitation. In fact, there’s a waitlist to even sign up for
Azure OpenAI, although I hope that by the time you read
this article, this limitation isn’t an issue for you. Micro-
soft’s working hard in establishing more data centers
around the world that can run these kinds of workloads,
which are often extremely resource intensive. However,
the current list serves the purpose of making OpenAI
services available in major regions. (For more informa-
tion, visit https://www.codemag.com/StateOfDotNet and
watch one of my recent recordings, such as the BUILD
codemag.com
2023 recap webinar, in which I provide more information model decides the response wasn’t great, you can simply
on how fast Microsoft is bringing new data centers online ask it to do it again, and the second time around, it’ll likely
and how incredibly large some of these things are). do much better.

To create your chatbot, you can use a GPT3.5 model. To

Understanding Models
Once the fundamental Azure OpenAI resource is created,
you need to “deploy a model.” To do this, you need to
first understand what “models” in OpenAI are. When us-
ing applications like ChatGPT, an LLM is used to generate/
calculate text responses to the user’s input. At least, that’s
the simplified version of what really happens. To be at least
somewhat more accurate, you must dig a little bit deeper.
When the user enters a “prompt” (the message sent to the
LLM) in ChatGPT, there isn’t just a single model that re-
sponds. And it doesn’t respond with a complete message.
Instead, multiple models make up a whole system that gets
invoked to generate a response. Depending on the need
and intent of the user, different models are more appropri-
ate than others. Some models are great at creating elabo-
rate responses but are slower and more expensive (because
they are more resource-intensive to operate). Other models
might be much faster but provide simpler responses (which
may be completely appropriate for your specific need).
And yet other models are better at specific tasks, such as
creating or explaining source code. (Yes, LLMs can write
programs—some better than others). Models also differ in
their ability to handle large amounts of text. Each model
supports a certain number of “tokens,” which roughly maps
to text length (more on that below).
deploy this model, click on the link on the overview page
of the OpenAI resource in the Azure Portal, which takes you
to the Azure OpenAI Studio (https://oai.azure.com). This
is a developer’s tool like the developer’s portal on openai.
com (see above and also in the OpenAI articles in the July/
August 2023 issue of CODE Magazine). Azure OpenAI Studio
is a great tool to try out various techniques. It’s also the
tool used to create model deployments. To create yours,
click on “Deployments” and then click “Create new deploy-
ment” (Figure 2). You can pick the model you assume is
best (I generally start with GPT 3.5, which seems to be a
good baseline). Unlike when using OpenAI directly, Azure
OpenAI allows you to create your own name for the model.
In this case, I named my model “ChatBot.” I could have
also called my model deployment the same as the base
model (“gpt-35-turbo,” in this case), but I prefer to give
it a more abstract name. This way, if I later decide a dif-
ferent model is better suited for my chatbot example, I
can change the model without having to change the model
names in my code. A minor point perhaps, but one I like
over the raw OpenAI approach of always going with the
underlying model name.
Now that you have the Azure OpenAI resource created and
a model deployed, you can write code to start putting

As you become a more experienced AI programmer, under-

standing the characteristics of various models, as well as
staying on top of which new models become available, is
an important skill. (A list of current models can be found
at https://learn.microsoft.com/en-us/azure/cognitive-
services/openai/concepts/models).

It’s also interesting to understand that LLMs do not create

large amounts of text. Instead, they predict a single word
based on some prompt they receive. This may seem strange
to you, as you’ve likely seen ChatGPT create large amounts
of text. This is achieved by continuing to ask the model to
keep running and generating “just one more word” until
a satisfying complete output is achieved. This has no im-
mediate impact on the samples in this article, but it’s an
interesting characteristic to understand. For one, it gives
an idea of the performance characteristics (as you can
imagine, returning a very large amount of text calls mod-
els many times and is thus a resource-intensive process).
It also explains why models sometimes generate nonsense
(although this is less of a problem with the most capable
models, such as GPT3.5 or GPT4). The models simply don’t
“think” about the complete response they’re going to give.
Instead, generating “one more word” sometimes sends
them down a path that isn’t necessarily the most appropri-
ate. Once the entire response is generated, it’s possible to
hand it back to a model and ask it whether it thinks the
result is appropriate for the original prompt. Once it can
analyze the entire result it generated, it often understands
whether it was sensible or not. As it turns out, this is a
trick that works rather well (especially with GPT4 models)
to verify that a response is correct and prevent “hallucina-
tions.” (I know a lot of humans that could benefit from the
same thought process, but that’s a different matter). If the Figure 1: Creating an Azure OpenAI resource is very similar to creating many other Azure services.

codemag.com Getting Started with AI Copilots in Your Own Applications 49

 Figure 2: Creating a new model deployment in Azure OpenAI Studio.
Figure 3: An extremely simple chatbot is already able to tell a coherent and completely
made-up story.
Artificial Intelligence to work. You can do so from any type
of application you’d like. To keep things simple, I create a
C# command line application. To access the Azure OpenAI
services, I add the “Azure.AI.OpenAI” NuGet package to
my project. Now, all I have to do is create an instance of
the client-side object that’s conveniently provided to me
using this package, set the endpoint URL as well as API
key (which can be found in the Azure Portal: see above),
and I’m ready to start firing messages at the AI. The pre-
vious C# code snippet shows a first version of that.
We haven’t really done much here in terms of fine-tuning
the setup, but this code already produces an amazing re-
sult (Figure 3). All this code does is call the service with
a simple prompt (“tell me a story”) using all the default
settings, yet the response you get is quite elaborate. Even
this simple example produces results that would have
been inconceivable just a few months ago. And we’ve just
started to scratch the surface.
Understanding Prompts
A critical skill when coding AI (or even just interacting
with AI from a user’s viewpoint) is to understand how to
50 Getting Started with AI Copilots in Your Own Applications
best “ask it questions.” This is often referred to as “prompt
engineering.” I find this term already becoming overused,
as it describes a wide range of techniques, from users sim-
ply typing questions to developers coding very advanced
flows of sequences of questions/prompts, often with large
parts of this back-and-forth banter between a program and
the AI completely hidden from the user. When I refer to
“prompt engineering,” I usually refer to the latter. To me,
prompt engineering implies an engineering component,
the way a software developer understands it.
When sending prompts to an AI, there’s a lot more than just
a single block of text sent in hopes of a meaningful AI re-
sponse. For one thing, there are different types of prompts.
There’s the “system prompt,” which is a prompt that’s often
sent to an LLM as the very first prompt. It’s invisible to the
user, and it’s often used to configure the overall system. A
system prompt might be something like this:
You are a professional customer service
representative who works for CODE Magazine
and answers professionally and concisely.
You only answer questions that relate to
CODE Magazine.
This type of prompt is never visible to the user. It rep-
resents additional input to the model that configures
its overall behavior. This also reveals one of the major
paradigm shifts that developers have to learn when de-
veloping against these AI models: Instead of setting pa-
rameters in a very precise way, you simply tell the model
in plain English (or any other language, for that matter)
what you want. It’s both extremely powerful and some-
what scary, because the AI will interpret it any way it
sees as most appropriate. The results will vary every time
you interact with the AI. It’s also extremely powerful and
works quite well. Imagine what kinds of properties you’d
have to set to achieve the same result that this system
prompt will presumably achieve!
As you get more experienced in the use of LLMs, you will
find this kind of programming exhilarating! I encourage
you to experiment with system prompts. To spark your
imagination, here’s a prompt I often use when I dem-
onstrate the Copilots we integrate into our applications:
codemag.com
You are a customer serice agent. You answer
precisely yet light-heartedly and sometimes
you are funny. Because you are used for
demo purposes, replace all names that appear
in the output with fake names for
privacy reasons.
“chat completions” scenario. A chat is essentially a series
of completions and the API is very similar, but it makes it
easier to create larger conversations.
The new example, which combines a system prompt and a
flexible user prompt, now looks like this:

Now there’s something you don’t see every day! It solves using Azure;
a problem I originally struggled with when I wanted to using Azure.AI.OpenAI;
show off AI in real-world applications. I often couldn’t
show the generated results for privacy reasons. But using var client = new OpenAIClient(
a system prompt like this, the AI understands that every- new Uri("https://<APP>.openai.azure.com/"), SPONSORED SIDEBAR:
thing that appears to be a name should be replaced with new AzureKeyCredential("<YOUR API KEY>"));
a made-up name instead. This is the kind of thing that’s AI-Searchable
very difficult to do with traditional programming tech- var options = Knowledgebase
niques—how would you even write an algorithm that de- new ChatCompletionsOptions { MaxTokens = 1000 };
tects what’s a name, let alone replace it with fake names, One of the first scenarios
and then apply that fake name consistently going forward options.Messages.Add(new ChatMessage( most companies want
in follow-up conversations? Because we’re dealing with ChatRole.System, to implement is an AI-
a model that is, at the very least, very good at apply- """ searchable knowledgebase.
This way, documents, such
ing statistical mathematical tricks to fake intelligence, it You are a friendly and funny chap,
as employee manuals, can
understands this kind of request and does quite well with used to amuse an online audience.
be “indexed” and then used
it. Amazing indeed! You respond as if you were John Cleese from
by Generative AI to answer
Monty Python but with an old-English, medieval
questions. This is fun, but
Here's one more system prompt I often use to amuse my- way of talking. most companies quickly
self when I sit in front of my computer at 3 a.m. to meet """)); outgrow such an approach.
the latest deadline (after all, you gotta have some fun The next step is a system
every now and then, don’t you?): var userPrompt = Console.ReadLine(); that can provide this
options.Messages.Add(new ChatMessage( capability in a way that’s
You respond in the style of John Cleese from ChatRole.User, userPrompt)); secure and tailored (not
Monty Python, acting as a medieval peasant. every user should be able
var response = await to see everything and not
If the output created by this doesn’t put a smile on your client.GetChatCompletionsAsync( "ChatBot", options); all information applies to
face, brave sir knight, I must humbly request you turn in all scenarios) and provides
your geek card. <g> Console.WriteLine( real-time information,
response.Value.Choices[0].Message.Content); rather than pre-indexed
As you can imagine, using a system prompt effectively is static documents. Finally,
important. You want to use a system prompt that’s pre- This generates a response, which is also known as a organizations realize that
cise. At the same time, you don’t want the system prompt “prompt.” The AI considers itself to be an “assistant” to if such a system also had
to be too long. After all, when dealing with LLMs, you’re the person using it (or at least OpenAI considers it as access to data (in a secure
and appropriate fashion),
constantly battling size limitations, as they can only pro- such—the AI itself has no opinion on the matter) and
such a system evolves from
cess a certain amount of text. Therefore, try to be specific therefore, this is known as the assistant prompt.
a fringe offering to the
without wasting too much space on the system prompt.
center that the business
You might wonder why the response is considered a evolves around and that
“prompt” at all. Isn’t it just the “response?” Yes and no. all other systems are
As you have longer conversations with the AI, you some- controlled from.
If this doesn’t put a smile on your how need to preserve the state of the conversation. For
face, brave sir knight, I must humbly instance, if you ask the AI “What is a Ferrari,” it responds Regardless of how far y
with something like “an Italian sports car.” If you then ou want to travel down
request you turn in your geek card! subsequently ask “what is its typical color,” the AI needs this rabbit hole, our
to somehow know what “it” is. To us humans, it’s obvious CODE Consulting
that “it” refers to the “Ferrari” from the prior question. division can help you in
The next type of prompt we’re interested in is the user However, an LLM is a completely stateless system. It does implementing such a system
prompt. This is the core question you send to the AI. If not memorize prior answers or dialogs. Therefore, if you quickly. Find out how at
you’ve ever used ChatGPT, the user prompt is what you want the AI to understand such context, you must send codemag.com/AI-Docs.
type into the interface on the web page. A common usage it all the parts of the conversation that are meaningful
pattern is to let the user enter the text and then send it for the context. The easiest way to do so is to simply
to the AI as the user prompt. Note that this isn’t the only add to the collection of prompts, including the assistant
way to use this type of prompt. Very often, you’ll engineer prompts, on every subsequent call:
other ways of coming up with the input text (as you will
see below). For now, let’s enhance the prior example by using Azure;
reading the input from the console so the user can enter using Azure.AI.OpenAI;
anything they want.
var client = new OpenAIClient(
Also, while I’m at it, I’m going to switch from a simple new Uri("https://<APP>.openai.azure.com/"),
“completions” scenario to the slightly more advanced new AzureKeyCredential("<YOUR API KEY>"));

codemag.com Getting Started with AI Copilots in Your Own Applications 51


var options =
new ChatCompletionsOptions { MaxTokens = 1000 };
options.Messages.Add(new ChatMessage(
ChatRole.System,
"""
You are a friendly and funny chap,
used to amuse an online audience.
You respond as if you were John Cleese from
Monty Python but with an old-English, medieval
way of talking.
"""));
while (true)
{ You then send it the entire collection of previous prompts
Console.ForegroundColor = ConsoleColor.White;
Console.Write(">> ");
var prompt = Console.ReadLine();
if (prompt?.ToLower() == "exit") break;
options.Messages.Add(new ChatMessage(
ChatRole.User, prompt));
Console.ForegroundColor = ConsoleColor.Cyan;
Console.WriteLine();
var currentResponse = string.Empty;
var response = await
client.GetChatCompletionsAsync(
"ChatBot", options);
Console.WriteLine(
response.Value.Choices[0].Message.Content);
Console.WriteLine();
// Adding the AI response to the collection of
// prompts to preserve "state"
options.Messages.Add(new ChatMessage(
ChatRole.Assistant, currentResponse));
} input and output. Let’s say the size limitation is 1000 char-
In this version, you first set up a system prompt. Then,
you enter a loop (until the user types EXIT) and collect a
new user prompt, add it to the collection of prompts, send
it to the AI, retrieve the assistant prompt back (the an-
swer), and display it in the console (Figure 4). You then
add the assistant prompt to the collection of prompts,
add the next user prompt, and repeat the process. This
way, all of the relevant context is available to the AI on
every call, and thus it can generate meaningful responses
as if it remembered the entire conversation.
You may notice that the approach of adding to the queue
of prompts could create a very large amount of text quite
quickly. As I’ve already pointed out above, language
models have size limitations. You’ll find yourself con-
stantly wrestling with this limitation. Even the best lan-
guage models are quite limited in that respect. So, what
can you do if the collected size of the prompts gets too
long? The simplest answer is that you start dropping user
and agent prompts once they get above a certain num-
ber. (For instance, Bing’s chat feature currently starts
dropping prompts after five roundtrips). Another option
is to get a summary of the most important aspects of the
conversation so far and stick that summary into a single
prompt.
52 Getting Started with AI Copilots in Your Own Applications
Note: There are various prompt engineering techniques
that can help with this problem. For instance, instead of
sending everything back and forth, you could ask the AI
to summarize and rephrase the current question in a way
that includes all required information. I will dive deeper
into such techniques in a future article.
You may find yourself wondering how you’d extract a sum-
mary of the most significant points of a conversation. It’s
an extremely difficult programming task, after all. But the
answer is right in front of your eyes: Ask the AI to sum-
marize all the prompts for you. You can simply start a new
chain of interaction with the AI independently of your main
conversation. You can create a new system prompt that in-
dicates to the AI that it’s used to create concise summaries.
and add a new user prompt that asks the AI to summarize
everything. This is an example where the user prompt isn’t,
in fact, generated by a human user, but instead, the “user”
is your application. This generates a new assistant prompt
with a summary of everything that has happened so far.
On your main conversation, you then clear out your collec-
tion of prompts (except the system prompt) and add the
new/single assistant prompt containing the summary. You
proceed from that point forward with the next human-gen-
erated user prompt. This works quite well! The AI won’t be
aware of every single detail of the prior conversation (and
neither are humans when you talk to them for a while), but
it will have enough context to where it’s usually not appar-
ent that this truncation happened. In my experience, this
creates quite a natural flow that will do an amazing job of
making you think you’re conversing with an actual person.
Understanding Tokens
One of the questions as yet unanswered is “when is a prompt
sequence too long?” Each language model has a certain text
size limitation. This includes all the text going in and out of
the model. In other words, limitations are a combination of
acters and you send it a prompt that’s 200 characters long:
The response can’t be longer than 800 characters.
However, limitations aren’t measured in characters or
words. Instead, they are measured in “tokens.” A to-
ken is a mathematical representation of a word or a text
sequence such as special characters, line feeds, white
space, and so on. There’s no simple answer to how charac-
ters and words are converted into tokens. There are some
useful estimates, such as “a token, on average, encodes
about four characters” or “think of tokens as syllables.”
Such estimates give you a rough idea and some context,
but they can also be wildly wrong.
The correct answer is to convert text into tokens to get
the actual and accurate result. This can be done using a
“tokenizer.” In Python, you can use a library called TikTo-
ken. In C#, the equivalent is—wait for it—SharpToken.
You can add SharpToken as a NuGet package and then use
it to encode text like this:
var encoding =
SharpToken.GptEncoding.
GetEncodingForModel("gpt-4");
var tokens = encoding.Encode(text);
var tokenCount = tokens.Count;
codemag.com
Note that you need to choose the right token encoding
for the model you’re using. However, for any of the mod-
ern GPT models, “gpt-4” encoding works well (there’s no
separate encoding for GPT 3.5).

This gives you a list of integer numbers (“token” is a

fancy term for “integer number,” in this case). You could
turn this list of numbers back into the original text (and
all LLMs operate on such tokens rather than the actual
text—after all, all artificial intelligences are fancy math
processors, and that requires numbers). You could turn
tokens back into the original text like so:

var encoding =
SharpToken.GptEncoding.
GetEncodingForModel("gpt-4");
var text = encoding.Decode(tokens);

For our purposes, however, you’ll just use this to figure

out the exact length of the prompts. If you calculate the
tokens for every prompt in the sequence, you know when
you go above the published maximum token size for the
model you’ve chosen (see Microsoft’s model reference al-
ready mentioned above). When you detect a problem, you
can start truncating or summarizing the prior history as
described above. Voila!
In case you are interested what tokens are like, the text
“Hello, world!” results in the following integer tokens:
9906, 11, 1917, 0
One part of all of this that’s still a bit fuzzy is that the maxi-
mum token count includes the output as well. Let’s say that
you use the gpt-35-turbo model, which has a documented
maximum token count of 4,096. Applying a very rough esti-
mate, this is about 8,000 words. (The largest token count cur-
rently supported by any OpenAI model is 32,768 in the gpt-
4-32k model. Not surprisingly, it’s also by far the most expen-
sive model to use). If you use the tokenization approach to
determine that you’ve already used up 3,700 tokens (to make
up an example), that leaves 396 tokens maximum response
size (about 800 words). To not create an error response, you
then have to limit the response size to a maximum of 396 to-
kens. This can be done by setting the corresponding property
on the API. Not everything in OpenAI is specified in plain
English. There are a handful of properties, such as size limits
or randomization settings that have an impact on the predict-
ability of the generated response. See below for an example.
Streaming Results
In the examples shown so far, you’ve fired a request into
OpenAI and waited for the complete response to be pro-
vided. This is known as “synchronous access.” However,
when using the ChatGPT application, users observe a dif-
ferent behavior, where word after word appears in the
user interface, almost as if the AI actually spoke one
word after another. This is a pattern that is quite natural
and one that users seem to have already come to expect,
even though this entire paradigm hasn’t been around very
long. This behavior is known as “streaming.”
Using the C# API, it’s relatively simple to create this sort
of streaming behavior. Listing 1 shows the complete
implementation.
Figure 4: A more sophisticated and entertaining version of our chatbot can hold an
ongoing conversation in a humorous way.
This creates output that’s more pleasing and natural, as
it eliminates potentially large wait states (it can take
several seconds to produce responses, and often more for
very large responses). It’s an easy way to give the user
the impression that the response was instantaneous.
With that said, I haven’t quite made up my mind about
whether this is an approach I want to use going forward.
I’ve already mentioned above that LLMs can produce in-
correct output or outright “hallucinate.” (I’m not a big
fan of this term because I feel it gives too much agency
to AIs. After all, we’re not dealing with people or intel-
ligent beings. We’re dealing with statistical math engines
that produce statistically probable text output. They do
not “hallucinate.” It simply turns out that sometimes
nonsense is statistically the most likely answer.) I wonder
if we’ll get ourselves into trouble by letting LLMs dump
“stream of consciousness” types of answers on users with-
out first checking the result. Checking the result is quite
possible (as discussed above), but to do so, you first need
to have the entire result, then check it, redo it if you’re
not happy with the result, and then show it to the user.
This is contrary to streaming output. However, if the re-
sponse takes a while, you’ll have to employ other user
interface tricks to keep the user happy and fool them
into thinking the response was quicker than it really was.
After all, you don’t want a user interface that appears to
be doing nothing for more than a second.
At this point, I’m assuming that we’ll use both stream-
ing and non-streaming interfaces. When it really must be
right (as is often the case in enterprise scenarios), we
probably won’t be able to stream. On the other hand,
there are plenty of scenarios where accuracy isn’t as im-
portant (such as when using AI to help us write an email
or a marketing text), in which streaming is an easy way
to create a good user experience.

codemag.com Getting Started with AI Copilots in Your Own Applications 53

 Listing 1: A complete chat implementation with streaming response.
using Azure; Console.ForegroundColor = ConsoleColor.Cyan;
using Azure.AI.OpenAI; Console.WriteLine();

var client = new OpenAIClient( var response = await

new Uri("https://<APPNAME>.openai.azure.com/"), client.GetChatCompletionsStreamingAsync(
new AzureKeyCredential("<YOUR API KEY>")); "ChatBot", options);

var options = var sb = new StringBuilder();

new ChatCompletionsOptions { MaxTokens = 1000 }; await foreach (var choice in
response.Value.GetChoicesStreaming())
options.Messages.Add(new ChatMessage( {
ChatRole.System, await foreach (var message in
""" choice.GetMessageStreaming())
You are a friendly and funny chap, {
used to amuse an online audience. if (!string.IsNullOrEmpty(message.Content))
You respond as if you were John Cleese from {
Monty Python but with an old-English, medieval Console.Write(message.Content);
way of talking. sb.Append(message.Content);
""")); }
}
while (true) }
{
Console.ForegroundColor = ConsoleColor.White; Console.WriteLine();
Console.Write(">> "); Console.WriteLine();
var prompt = Console.ReadLine();
if (prompt?.ToLower() == "exit") break; options.Messages.Add(new ChatMessage(
ChatRole.Assistant, sb.ToString()));
options.Messages.Add(new ChatMessage( }
ChatRole.User, prompt));

SPONSORED SIDEBAR:
AI Training
Our CODE Training
division was the first
training organization that
offered in-depth training
about how to create
Copilots for your own
applications. We’re now
regularly scheduling these
types of training classes
(and others), which can
be attended online, in-
person, or be delivered,
customized, at and for your
organization.
Find out more at
codemag.com/Training.
Adding Your Own Data
We have now created a rather nice chatbot that can con-
verse coherently and probably fool people into thinking
they are talking to a person. This is impressive! But it
can only hold interest for a short period of time. To make
a truly useful artificial intelligence, or even a Copilot,
you need to make the AI understand your specific needs,
data, and institutional knowledge.
Let’s create an example scenario, in which you imagine
that you’re running a vacation rental business that rents
out properties to vacationers all over the world. Vacation-
ers may have many questions about the properties they
rent, as well as the area they are visiting. I’m sure every-
one in the vacation rental business must have answered
questions such as “How do I turn on the air conditioning
system?” or “How do I operate the safe?” a million times
and would rather offload such tasks to an AI that’s avail-
able 24 hours a day and doesn’t get annoyed easily.
In his article in the July/August 2023 issue of CODE Mag-
azine, Wei-Meng Lee created an example using the Python
LangChain package to index his entire collection of CODE
Magazine issues, so the AI could answer specific ques-
tions related to everything CODE has ever published. This
is very useful, but for the vacation rental example, you
need to go a step further. Wei-Meng created a static index
of all magazines and then kept using it (an approach that
is useful for some scenarios), but you need to use data
that is current up to the minute. Furthermore, and more
importantly, you need to apply additional logic to create
a correct and meaningful answer. For instance, it’s not
useful in this scenario to index the documentation you
have for all air conditioning systems in all of the vacation
homes. Instead, you need to know which property the
vacationer has rented, whether it has an air conditioning
system (or whether the vacationer is authorized to use
it), and then only use this information for the AI to cre-
ate an accurate answer. (Another concern that applies in
very many scenarios is security and access rights).
A great way to support such a scenario is a pattern known
as Retrieval Augmented Generation (which results in the
somewhat unfortunate acronym RAG). The general idea is
that you first let the user enter a question, such as “How
do I turn on the AC?” Then, you must retrieve all of the
information you have about the air conditioning system
specific to the property the user has rented. You then
take all that information, hand it to the AI, and let the
AI answer the original question.
To make a truly useful AI, you need
to make it understand your own
data and institutional knowledge.
In some ways, this is easier said than done. First, you need
to detect the user’s intent. Do they want to just chat about
something LLMs know (such as “what is an air conditioning
system?”), or do you need to retrieve different types of infor-
mation? In this example, intent detection is relatively trivial,
assuming you’re creating an AI specifically for answering
such questions. The intent is always that you need to find
documents related to the property they rented. (Similarly,
Bing Chat always knows that the intent includes some sort of
web search before the question can be answered.) Therefore,
intent detection isn’t a big issue for this scenario. However,
I’m mentioning intent detection here, because many Copilot
scenarios must do some heavy lifting around this concept,
and I’ll explore this in a future article. (For instance, a user’s
question in a business application may have to do with cus-
tomers or with product databases or with invoices or… you
get the idea. To have an AI answer such questions, you first

54 Getting Started with AI Copilots in Your Own Applications codemag.com

need to figure out what domain the user’s input relates to. AI
can help answer that, but it isn’t trivial). It’s generally safe
to assume that for any AI Copilot scenario, intent detection
is t\he first priority for any request.
Because you know that the user’s intent includes search-
ing for information you may have, the next step is to
figure out which documents apply. But how can you do
that? If you had a bunch of text description or even docu-
ments in a SQL Server database, you could retrieve them
from there, but how would you turn the question “how do
I turn on the AC?” into a SQL Server query that returns
appropriate documents? After all, SELECT * FROM Docu-
ments WHERE Body = ‘how do I turn on the AC?’ isn’t
going to return anything useful.
When it comes to this new world of AI development, I’ve
discovered that things are a lot easier if your system has
access to other AI-powered services. For instance, if you
use Azure Cognitive Search, it would be somewhat easier to
return a list of documents that match the criteria. Not just
that, but it could return such documents in a ranked fash-
ion, with the most important ones being returned first. You
could send it a search term such as “air conditioning manu-
al” and filter it by the name of the property the vacationer
has rented. This leaves us with the problem of turning the
original question (which might be much longer and include
other aspects, such as “how do I turn on the AC and how
much will it cost me to do so?”) into a useful search term
(such as “air conditioning manual pricing”) that will return
useful information. (Note that the user may use the term
“AC” and you may have to search for “air conditioning”).
Again, the answer becomes clear once you’ve adopted the
new style of development in this new world driven by AI:
You ask a large language model to come up with a useful
search term. A user prompt such as this will give you a
starting point:
Your task is to create a search term useful for
Azure Cognitive Search. Provide a search term
for the following prompt:
How do I turn on the AC and how much will it
cost me to do so?
As you can see, this prompt is “engineered” to include a
request related to what the user has entered as well as
the user’s original question. This prompt can be created
by simply creating the string in memory. I find it easier to
create at least a simple text template engine that helps
with this task. I’ve created one internally that supports
the following syntax. (Note: EPS may make it available
as an open-source engine if there’s enough interest. Feel
free to contact me if you feel it would be useful for the
community). Using such an engine, you might be able to
create a template like this to create the output string:
Your task is to create a search term useful for
Azure Cognitive Search. Provide a search term
for the following prompt:
{OriginalQuestion}
Note that there are some components out there that al-
ready do something similar, such as LangChain in Py-
codemag.com
thon. Microsoft’s announced (but unavailable as I write
this article) Prompt Flow engine presumably also supports
similar syntax.
If you fire this prompt (completely invisible to the user)
into OpenAI, it creates a useful result that can then be
used to retrieve documents from Azure Cognitive Search
(or similar services, such as Amazon’s Elastic Search).
However, responses are often somewhat unpredictable.
Sometimes, you get a response such as the desired “air
conditioning manual price.” Sometimes, the response is
wordier as in “a good search term might be ‘air condition-
ing manual price’”, which is correct, but not that useful.
Sometimes it provides the first answer, but wraps it into
double quotes, which has special meaning to search en-
gines and thus creates wrong results.
How can you handle this problem and what creates it in the
first place? For one thing, you can turn the “Temperature”
down to 0. “Temperature” is a parameter you can send to
an LLM. It’s a value between 0 and 2 (usually defaulted
to 0.7) that defines the randomness of the response. If
you turn this parameter to 0, the response to the same
question will be predictable and consistent. The higher the
value, the more random the response becomes. High ran-
domness is useful if you want to write stories, but in tech-
nical scenarios like this, you want high predictability, so
I recommend turning randomness to 0 for this operation.
Another problem lies in the core nature of this request.
It’s what is referred to as a “zero-shot prompt.” This
means that you simply sent a request to the AI but pro-
vided “zero guidance” (or “zero examples”) as to what
you wanted in return. Therefore, it tries its best in coming
up with a response, but it will be somewhat different in
nature for each request based on the question the user
asked. Try to unit test that!
In my experience, far better results are achieved with
prompt engineering techniques known as “one shot,” or,
better yet, “few shot.” In a “few shot prompt,” you provide
a few examples in addition to the question. Therefore, I
propose that you use the following prompt template:
Your task is to create a search term useful for
Azure Cognitive Search. Provide a search term
for the following prompt:
Q: How do I open the safe?
A: safe manual
Q: How do I unlock the door with the keypad?
A: keypad door operation
Q: What attractions are there around the property
and what do tickets cost?
A: local attractions
Q: {OriginalQuestion}
A:
In this example, I provided patterns of what I expect.
Those patterns may not be very close to what the ques-
tions are that the user asks, but they still provide enough
guidance to the AI to drastically improve the response.
Also, because it establishes a pattern of questions (Q)
Getting Started with AI Copilots in Your Own Applications 55
 and answers (A), the returned response will be similar to
what’s in the provided answer examples (which, for in-
stance, do not have quotes around them). It doesn’t mat-
ter how you format your few-shot prompt. For instance,
instead of having used “Q:” and “A:” to indicate ques-
tions and answers, I could have used “User:” and “Search
Term:”. It just matters that I provide a few examples of
what I expect. (The shorter version is preferrable, because
the API charges by token count).
This may seem strange at first. But hey! Welcome to the
new world of AI! <g> These types of prompt engineering
techniques are among the critical skills to learn when it
comes to AI programming. I’m sure CODE will produce
quite a few articles and blog posts about these sorts of
techniques for years to come.
There’s one more interesting aspect when it comes to
finding a good search term and that relates to the model
you use. When starting with LLM development, the in-
Figure 5: CODE’s internal knowledgebase now uses a Copilot to help our people with a
variety of questions. It’s based on the techniques introduced in this article.
56 Getting Started with AI Copilots in Your Own Applications
stinctive reaction is to always use the most powerful
model. But the more powerful the model, the slower it is
and the more each call costs. API calls are usually charged
for in 1,000 token increments. They’re cheap individually,
but they can add up quickly! Therefore, choosing the right
model is often critical for performance and economics.
Because you don’t need the AI to write a novel that can
win the Pulitzer Prize in response to a request to find a
good search term, you can probably do with a less capable
model that’s cheaper and faster. As more and more models
become available, perhaps there may even be models in the
future that aren’t as crazy resource-intensive and can run
on local computers without incurring any API expenses.
Whatever the case may be, a good prompt engineer and
AI developer will consider these tradeoffs on each call to
the AI. A single question a user asks may invoke several
different models behind the scenes to ultimately come up
with a good answer. For this specific need, I encourage you
to experiment with some of the simpler models to find a
search term before you then use something like GPT3.5 or
GPT4 to follow the next steps I’m about to describe.
Augmenting Prompts
Now that you have a search term, you can fire that search
term into Azure Cognitive Search and retrieve a list of
ranked documents.
Note: This assumes that you already have a list of docu-
ments in Cognitive Search (or a similar index). Creating
such an index is beyond the scope of this article, but the
short version is that you can create a Cognitive Search
resource in Azure (similar to OpenAI resources or App Ser-
vices and many others) and then add documents and other
content either manually, or by having it automatically sync
with various data sources. This allows you to add anything
from PDFs and HTML documents all the way to database
content. Some of this is fully automated, although I often
find that it’s useful to hand-craft indexes to achieve the
best results for AIs. I’ll explore this in detail in a future ar-
ticle. For now, let’s assume that there’s such a search index
and you’ve retrieved a list of information from it based on
the search-term you had the AI generate above.
At this point, you need to generate a final user prompt
that you can hand over to the AI to generate a meaning-
ful answer. You do this by injecting or “augmenting” the
prompt with the information you retrieved before a re-
sponse is generated (thus the name “Retrieval Augmented
Generation”). In its simplest form, you create a prompt
string that literally includes the content of the documents
you retrieved. Showing the complete prompt might take
up several pages in this magazine, so let’s look at a con-
ceptual prompt template instead:
Based on the following documents,
please answer the question below:
<% foreach document in documents %>
====
{document.Title}
{document.Content}
<% end foreach %>
Answer this question: {OriginalQuestion}
codemag.com
I think you can see where this is going: You create a large
prompt with all the content you retrieved from the search.
At the very beginning, you state what you want the AI to
do. The result is each document with title and actual con-
tent. (Note that I added an arbitrary separator sequence
of four equal signs before each document. This is another
prompt engineering technique I learned from experience
that seems to help the AI make sense of what I give it).
Finally, I ask the AI a second time (yet another technique
that usually improves the result) to answer the original
question the user had, and then the question (such as
“how do I turn on the AC?”) is merged into the prompt.
The result is output that is “grounded” in the specific
information you provided. It will be of very high qual-
ity and far less prone to hallucinations than what you’ll
encounter in raw ChatGPT. Also, the information you pro-
vided will remain private and secure. It won’t be passed
on to OpenAI for further model training or anything of
that kind. (Figure 5 shows CODE’s internal knowledge-
base, which now features our own built-in CODE Copilot.
It was built on this very technique).
One aspect I haven’t talked about yet is that of size.
Again, you’re up against token limits, and information re-
turned from search services can be lengthy. However, it’s
also ranked, meaning that the most applicable results are
returned first. I have used a simple token count mecha-
nism where I add up documents as long as I’m under the
token limit and then ignore the rest. After all, it’s less
important. This works in many scenarios. Another option
is to make multiple calls to the AI to summarize each
document, so it’s much shorter yet maintains the impor-
tant parts. This way, you can inject far more information,
but it is also more resource intensive.
In future articles, I’ll explore the details of making search
index use more efficient. One way to do so is to tune what
gets indexed. For instance, the indexed document can be
summarized when it’s saved into the index, and therefore,
a summarized and smaller version can be always available
if needed. Another technique I’ll explore in future articles
is to handcraft indexing mechanisms for rectangular data
(business data stored in databases such as SQL Server, or
invoices, products, and so on) so it can be found by AI.
Using Pre-Baked RAG Features
The pattern I just introduced is useful for quite a few sce-
narios, which is why I went through it in a manual fashion
here. I predict that you’ll spend quite a bit of time imple-
menting the RAG pattern for a wide variety of uses. With
that said, it isn’t always necessary to do this by hand. The
example I’ve shown above could have also been automat-
ed away completely. Microsoft has introduced features in
Azure that allow combining OpenAI LLMs with Cognitive
Search directly. Using this approach (which is currently
available in a preview version), you can automatically
link Azure Cognitive Search to OpenAI, making much of
this happen transparently and without knowing how the
RAG pattern works. It can be used to add anything in
Cognitive Search as well as data stored in Azure Storage
and, to a limited extent, even in SQL Server.
How well this will work remains to be seen once Microsoft
makes more of these features available to us. I predict
codemag.com
that it will be useful in a lot of scenarios. I also predict
SPONSORED SIDEBAR:
there will be a lot of scenarios where you will still do this
manually, either because you want to incorporate differ- Adding Copilots to
ent data sources, or because you want to add more logic Your Apps
(such as “which vacation rental property has the user
rented?”) to your systems. The future is here and
you don’t want to get
This is a good example of where Azure OpenAI shines over left behind. Unlock the
just OpenAI. After all, it’s not OpenAI’s job to incorporate true potential of your
RAG patterns into their models. But it is Microsoft’s job to software applications by
add more and more integration features of this kind, and adding Copilots. CODE
I expect this to happen at a rapid pace. This is one of the Consulting can assess your
main reasons I often choose Azure OpenAI over OpenAI applications and provide
directly (even though I use both approaches). you with a roadmap for
adding Copilot features
and optionally assist you
Conclusion in adding them to your
applications. Reach
There you have it! You now know some of the funda- out to us today to get
mental techniques required to build Copilot-powered ap- your application
plications. Admittedly, there remain many unanswered assessment scheduled.
questions, such as “how do you create a search index on www.codemag.com/ai
SQL Server data?” or “how do I go beyond a command-
line user interface?” Similarly, there are specific tasks to
which solutions may not be immediately apparent, such
as summarizing large blocks of information or detect-
ing user intent in scenarios that require consolidation of
many different types of data, information, and features.
These topics are beyond the scope of this article, but not
beyond the scope of what we intend to cover in CODE Maga-
zine in upcoming issues. In fact, I anticipate that we will
continuously publish a wide range of articles that all revolve
around this new world of software we now all live in. I hope
you’ll stay tuned for my own articles, blog posts, webinars,
and presentations on the subject, and you’ll find that many
other authors and presenters are creating similar content.
I’m very excited! In the thirty years I’ve spent in the
software industry, I’ve never experienced anything quite
like this. The pace of development is incredible and even
somewhat intimidating. At the same time, the surprising
results AI-driven software can produce are fascinating. It
doesn’t happen often that software you wrote completely
surprises you in the capabilities it exhibits, but that’s
exactly what happens on a regular basis with software
that uses LLMs as a backbone. It is easily the most fun
I’ve ever had in development.
I anticipate a fascinating journey. I hope you’ll join me!
Markus Egger
Getting Started with AI Copilots in Your Own Applications 57
 ONLINE QUICK ID 2309071
Vite and Progressive Web Apps
Many web developers use Vite to build their web applications, but as requirements change, you need to be able to make apps
out of your websites. Luckily, Vite has a solution for you. At a high level, Vite is a development build environment and abstracts
details from the underlying project framework. Because of this abstraction, you can achieve key features like packaging,
Shawn Wildermuth
[email protected]
wildermuth.com
@shawnwildermuth
Shawn Wildermuth has
been tinkering with
computers and software
since he got a Vic-20
back in the early ’80s.
As a Microsoft MVP since
2003, he’s also involved
with Microsoft as an ASP.
NET Insider and ClientDev
Insider. He’s the author
of over twenty Pluralsight
courses, written eight
books, an international
conference speaker, and
one of the Wilder Minds.
You can reach him at his
blog at http://wildermuth.
com. He’s also making his
first, feature-length docu-
mentary about software
developers today called
“Hello World: The Film.”
You can see more about it at
http://helloworldfilm.com.
58 Vite and Progressive Web Apps
offline use, and being able to install a website as an app
outside the JavaScript framework you’re using. In this ar-
ticle, I’ll show you how.
What’s a Progressive Web App
Although there’s always been a difference between build-
ing mobile apps and building websites, Progressive Web
Applications (PWAs) mean to fill in the gap between
them. The basic features that PWAs offer to web develop-
ers include:
• Installation: Can be installed from the web or sub-
mitted to app stores. Web assets are installed on
the local OS.
• Platform-agnostic: Can integrate with host OSs to
give the user a more native experience.
• Offline: Supports running the PWA offline so you
don’t need a persistent network connection to
launch the application.
• Background processing: Supports multiple threads
via Service Workers.
• Versioning: PWAs can have a consistent way to see
if the code needs to be updated.
• Protocol handlers: Associate files with the PWA.
To be clear, PWAs aren’t magical. They’re just web tech-
nologies so they have limitations about performance, and
theming your application to look like the underlying OS
is up to you. PWAs aren’t meant to replace native apps or
app frameworks like Flutter, MAUI, and Xamarin.
For a more in-depth explanation
of PWAs, see Chris Love’s article:
https://www.codemag.com/
Article/1805091/Introducing-
Progressive-Web-Apps-The-
No-Store-App-Solution.
For a long time, you’ve been able to install a website as
an application in most browsers. For example, in Edge (or
any Chromium browser), you can add a website as an app,
as seen in Figure 1.
This just installs the website in an OS window. It asks for
metadata because it only has the <title></title> as the
name of the app, as seen in Figure 2:
This is great for certain projects, but PWAs extend this idea
even further. Although hosting a website in its own window
does some of what PWAs do, unless you write specific code
to deal with offline usage, caching, and other features,
this feature is not the same as a PWAs. As discussed earlier,
unless you write custom code, PWAs can also use server
workers for background processes, enable offline mode, and
do updates in a more standard way. But this article is about
using PWAs in your Vite project, so let’s talk about Vite.
Vite
Vite (rhymes with ‘beat’) is taking the JavaScript world by
storm. It presents a way to develop your applications in a
very quick fashion. What might not be obvious is that Vite
isn’t a particular framework or library; it’s simply a tool
for running an application and reacting to changes. This
isn’t dependent on any specific way you write your own
code. Instead, it’s a development time tool for working
with JavaScript or TypeScript.
Vite has a plug-in that can implement PWAs for you. The
plug-in is called vite-plugin-pwa. The plug-in is specific to
Vite, so it doesn’t matter what web framework you’re using.
It’s agnostic to the underlying application. So, this works if
you’re using Vite for React, Vue, Svelte-Kit, or even Vanilla
JS. I like this approach because I can learn to handle a PWA
in one place and apply it to multiple technologies.
Next up, let’s add PWA support to a Vite project.
You can get the starting project from https://github.
com/wilder-minds/vite-pwa.
Installing the PWA Plug-in
The PWA Plugin is just another Vite plug-in. You can in-
stall it via NPM like this:
npm install vite-plugin-pwa -save-dev
The purpose of the VitePWA plug-in is to enable creation
of a manifest.webmanifest file and JavaScript files to
set up and run the service worker. The VitePWA plug-in
automatically creates these files without you having to
understand the nature of the files.
This installs the actual package but doesn’t configure it.
Once the package is installed, you need to configure it
in vite.config.js file. You’ll need to import the VitePWA
object into the file and call it to add the plug-in:
import^ÀOH85/7R3DWK85/`from 'node:url'
import^GHÀQH&RQÀJ`from 'vite'
import vue from '@vitejs/plugin-vue'
import { VitePWA } from "vite-plugin-pwa";
KWWSVYLWHMVGHYFRQÀJ
export defaultGHÀQH&RQÀJ ^
plugins: [
codemag.com
 vue(),
VitePWA()
],
...
})

This enables the plug-in, but only in actual Vite builds. If

you start the Vite preview feature, you’ll be able to look
at the Application tab in the browser’s developer tools, as
seen in Figure 3.

These errors occur because you haven’t started configur-

ing the plug-in. To do this, you can send in an options
object to the VitePWA plug-in:

export defaultGHÀQH&RQÀJ ^
plugins: [
vue(),
VitePWA({
manifest: {}
}),
...
Figure 1: Installing a website as an app
For most people, you’ll want to be able to test and debug
this in development mode. So the first real configuration
that I’d suggest you do is to enable devOptions:enabled:

export defaultGHÀQH&RQÀJ ^
plugins: [
vue(),
VitePWA({
manifest: {},
devOptions: {
enabled: true
} Figure 2: Installing a website as an application
}),

With this switch turned on, the manifest and associated

files are created for you. In order to enable installation
as a PWA, you’ll need, at a minimum, a 512x512 icon. You
can add several sizes of icons, but let’s start with the first
icon inside the manifest options:

export defaultGHÀQH&RQÀJ ^
plugins: [
vue(),
VitePWA({
manifest: {
icons: [
{
src: '/icons/icon-512x512.png',
sizes: '512x512',
type: 'image/png'
}
]
},
devOptions: {
enabled: true
}
}),

If you run the Vite project (e.g., “vite dev”), you’ll see
that the app is now installable, as seen in Figure 4:

You’ll notice that the browser has named the app “vite-
pwa”. This is the default name. If you open the dev-tools Figure 3: The empty manifest file

codemag.com Vite and Progressive Web Apps 59

 in the browser, you can click on the Application Tab and name: "Bechdel Films",
see information about the manifest, as shown in Figure 5. short_name: "Bechdel",
description: 6LPSOHDSSWRYLHZÀOPV,
To set this up, you’ll want to add the identity properties icons: [
in the manifest configuration: {
src: '/icons/icon-512x512.png',
VitePWA({ sizes: '512x512',
manifest: { type: 'image/png'
}
]
},
devOptions: {
enabled: true
}
}),
Figure 4: The installation button
With these changes, you’ll need to stop and restart the
“vite dev” call in order for the VitePWA plug-in to recreate
the manifest. Once you do that, you’ll see the information
in the browser tools, as seen in Figure 6.

With the basic metadata complete, you can see how in-
stalling the app works.

Installing a PWA App

Now the fun part starts. You can install the app using
that magic button in the address bar. This prompts you to
install the site as an application, as shown in Figure 7.

Once installed, depending on which browser and OS you

use to install it, you’ll get a prompt to about how to use
it in the system. As seen in Figure 8, Edge allows you to
install it into Windows Start Menu, Desktop, and Taskbar.

Once you install it, you’ll be able to launch it from the

Figure 5: The default name device/OS (as seen in Figure 9, on Windows).

Installing the PWA is only the beginning. Now you need

to make it act like an application.

Figure 6: A working manifest file
Offline Support
Although you can certainly create a native application
that doesn’t support offline usage, a PWA has different
requirements. While in the browser, caching can help load
certain assets (e.g., HTML, JS, CSS), but typically, this
still depends on checking the server for a new version
even if there’s a cache. In PWAs, all the assets to load the
page need to be stored for offline use. To do this, it uses
Cache storage. If you run the installed app, you can still
load the dev tools. With this view, you can see the cache
storage that’s being used, as seen in Figure 10.

This cache storage stores the assets necessary to run

the project. You’ll notice that the cache storage is called
“workbox-precache.” But what’s the workbox? The work-
box is simply a set of parameters inside which your ap-
plication runs. This is important as it defines how the ser-
vice worker interacts with the application and the server.
Luckily, the PWA plug-in allows you to configure this.

By default, the PWA plug-in caches HTML, JS, and CSS. If

you need other file types, you can configure the workbox
to include other files:

VitePWA({
Figure 7: Installation prompt ...

60 Vite and Progressive Web Apps codemag.com

Figure 8: Installation options.

workbox: {
globPatterns: [ "**/*.{js,css,html,pdf}"]
}
})

This allows you to help cache assets. In general, if an

asset is in src/assets or public folders, it will be cached
by the PWA.

Although supporting the site assets is a central part of

the workbox, inevitably most websites also need to call
APIs. The PWA plug-in allows you to configure runtime
caching. First, you’ll need to tell the plug-in which calls
to cache by using the urlPattern property:

workbox: {
globPatterns: ["**/*.{js,css,html,pdf}"], Figure 9: Installed on the OS

runtimeCaching: [{
urlPattern: ({ url }) => {
return url.pathname.startsWith("/api");
}
...

In this example, I’m caching any calls from the Java-

Script calls whose URL starts with “/api”. For me, this
includes any API calls. Again, this caching strategy is
helpful for offline support so that the JavaScript calls
to fetch are intercepted and returned with the cache
data when the real API isn’t available. To make this work
in the way you want, you need a couple more pieces of
configuration.

First, define the cache handler:

workbox: {
globPatterns: ["**/*.{js,css,html,pdf}"],

runtimeCaching: [{
urlPattern: ({ url }) => {
return url.pathname.startsWith("/api"); Figure 10: HTML page caching

codemag.com Vite and Progressive Web Apps 61


Figure 11: API caching in action
Figure 12: Forcing the Service Worker to update on page reload
Source Code
The source code can be
downloaded at https://github.
com/wilder-minds/vite-pwa
62 Vite and Progressive Web Apps
},
handler: "CacheFirst" as const,
In this example, I’m using the CacheFirst handler. This
handler type is defined in Chrome’s workbox documenta-
tion. The most common handlers include:
• CacheFirst: Read the cache before falling back to
calling the network.
• CacheOnly: Only read from the cache, never fallback
to network.
• NetworkFirst: Call the network first and, if it fails,
fallback to the cache.
• NetworkOnly: Always call the network, don’t use
the cache.
Finally, you’ll want to add some options to the cache:
workbox: {
globPatterns: ["**/*.{js,css,html,pdf}"],
runtimeCaching: [{
urlPattern: ({ url }) => {
return url.pathname.startsWith("/api");
},
handler: "CacheFirst" as const,
options: {
cacheName: "api-cache",
cacheableResponse: {
statuses: [0, 200]
}
}
}]
}
Although there are a number of options, naming the
cache and specifying what HTTP Status Codes to actually
cache is really common. By naming the cache, you can
easily see the caching in the Application tab of the dev
tools, as in Figure 11.
In order to see this work, you might need to force the
service worker to update on reload (instead of using the
cached version), as seen in Figure 12.
Now that you have that working, let’s talk about handling
updates to the application.
Configurating Updates
When the network is available and the code or markup
has changed, you’ll need a way of updating the cached
code. By default, the behavior is to prompt the user to
update the application by recreating the cache from the
server. To get this behavior, you don’t need to configure
this option.
If you want the application to just get the newest version
on every launch/reload, you can specify that the registra-
tion is to auto update by adding another configuration
detail:
VitePWA({
...,
registerType: 'autoUpdate'
})
For most applications, the autoUpdate is the cor-
rect behavior. To be clear, this doesn’t just invalidate
the markup, code, and CSS caches, but also invalidates
the runtimeCaches as well. Clearing these caches is
almost always the option you want, and is the de-
fault. It’s strongly recommended you don’t change this
behavior.
Where Are We?
Creating, building, and debugging PWAs can be straight-
forward, no matter the underlying framework. The PWA
plug-in for Vite represents a platform-agnostic way to ac-
complish creating a PWA and implementing many of the
features at a higher level than inside your application.
The plug-in should simplify how you want to support
PWAs in your applications.
Shawn Wildermuth
codemag.com

Authentication in Laravel, Part 2:
Token Authentication
In my previous article (May/June 2023 CODE Magazine), I introduced Authentication in Laravel. Laravel uses guards to determine
an authenticated user by specifying which authentication provider should be used for authentication. Guards are defined in the
config/auth.php file and can be customized to fit the needs of your application. Several types of guards are available in Laravel,
including session, token, and stateless guards. In the
previous article, I covered authenticating users with the
Session Guard in detail. In this article, I’ll cover Token
Guard and explore how to authenticate a user in Laravel
using tokens only.
Token Authentication in Laravel is typically used when
building stateless APIs. The client application (such as a
mobile app or a JavaScript application) needs to authen-
ticate with the server on every request without storing
any session information on the server.
Token Authentication works by issuing a token to the client
upon successful authentication, which is then used to au-
thenticate subsequent requests. The client sends this token
in the request headers, and the server uses it to authenticate
the user and authorize access to the requested resource.
In Laravel, Sanctum is the Token Authentication imple-
mentation used to authenticate API requests through the
auth:sanctum middleware, which protects the routes un-
der the routes/api.php file.
There are other ways to implement Token Authentication
in Laravel other than Sanctum. Still, being a package de-
veloped and maintained by the Laravel team, it’s consid-
ered the optimal implementation for Token Authentica-
tion in the Laravel application.
What’s Token Authentication?
Token Authentication is a method in which a token is
exchanged between the client and server to establish and
maintain authentication status. In this method, a token
is issued to a user after successful authentication. It’s
then used for subsequent authentication attempts in-
stead of sending the user's credentials, such as username
and password, with each request.
The token is typically a string of characters generated
by the server. It contains the user's identity and other
relevant information that allows the server to validate the
authenticity of the request. The token is usually included
in the HTTP Header of each request sent by the client, and
the server can use it to verify that the request is coming
from an authenticated user.
Token Authentication is helpful for several reasons:
• It improves security by reducing the risk of creden-
tials being intercepted or stolen because the user's
credentials are only exchanged once, during initial
authentication.
codemag.com
ONLINE QUICK ID 2309081
• It improves performance by reducing the amount of
data that needs to be sent with each request.
• It simplifies the implementation of authentication
mechanisms in complex systems and enables easy
integration with other systems and applications.
• It can be used in distributed systems, where au-
thentication needs to be performed across multiple
servers without requiring the servers to share au-
thentication data.
Bilal Haidar
How Laravel Implements Token [email protected]
https://www.bhaidar.dev
Authentication? @bhaidar
Laravel offers two packages for Token Authentication: Bilal Haidar is an
Laravel Passport and Laravel Sanctum. accomplished author,
Microsoft MVP of 10 years,
• Laravel Passport: Passport is a full-featured OAuth2 ASP.NET Insider, and has
server implementation that provides a complete solu- been writing for CODE
tion for API authentication. It allows clients to au- Magazine since 2007.
thenticate with your API using various OAuth2 flows,
including password grant, authorization code grant, With 15 years of extensive
and client credentials grant. Passport requires more experience in Web devel-
configuration and set up than Sanctum, but it offers opment, Bilal is an expert
more advanced features for OAuth2 authentication. in providing enterprise
• Laravel Sanctum: Sanctum is a lightweight pack- Web solutions.
age that provides a simple way to authenticate API
He works at Consolidated
requests using tokens. It's designed for single-page
Contractors Company in
applications, mobile applications, and APIs that need
Athens, Greece as a full-
a straightforward and easy-to-use authentication sys- stack senior developer.
tem. Sanctum uses Token Authentication, and it does
not support OAuth2 authentication flows. Bilal offers technical
consultancy for a variety
Both packages provide a secure and reliable way to au- of technologies including
thenticate API requests, but they differ in complexity and Nest JS, Angular, Vue JS,
the features they offer. Choose the package that best fits JavaScript and TypeScript.
the specific requirements of your application.
Before you begin working on your application, consider
whether Laravel Passport or Laravel Sanctum would be more
suitable for your needs. If your application must support
OAuth2, then Laravel Passport is the appropriate choice.
On the other hand, if you're looking to authenticate a
single-page application, or mobile application, or gener-
ate API tokens, then Laravel Sanctum is the recommended
choice. Although it doesn't support OAuth2, it offers a
more straightforward API authentication development ex-
perience.
Laravel Passport
This package uses OAuth2, an industry-standard proto-
col for authentication and authorization, to generate and
validate access tokens.
Authentication in Laravel, Part 2: Token Authentication 63
 When a user logs in, Passport generates an access token
and a refresh token. The access token is a JSON Web To-
ken (JWT) containing the user's ID, the token's expiration
time, and any additional data required. The refresh token
requests a new access token when the current access to-
ken expires.
To generate an access token, Laravel uses a combination
of the user's ID, a secret key, and the current time to de-
velop a unique signature. This signature is then encoded
as a JWT and returned to the client.
When the client makes a subsequent request, it includes
the access token in the Authorization header of the HTTP
request. Laravel's middleware verifies the validity of the
token by checking its signature against the secret key
and expiration time. If the token is valid, the request is
allowed to proceed.
If the token is invalid or has expired, Laravel returns a 401
Unauthorized response. If the access token has passed, but
the refresh token is still valid, the client can use this to
obtain a new access token without having to log in again.
Overall, Laravel Passport is designed to be secure, effi-
cient, and easy to use. By leveraging industry-standard
protocols like OAuth2 and JWT, Laravel provides a robust
and reliable authentication mechanism that can be easily
integrated into any Laravel application.
Laravel Sanctum
Laravel Sanctum is a lightweight authentication system
for SPAs (single-page applications), mobile applications,
and Token Authentication APIs.
Laravel Sanctum helps solve two different problems: API
Tokens and SPA Authentication.
API Tokens
Sanctum provides a straightforward way to create API to-
kens for your users. You can integrate Sanctum into your
application's Account Settings page, where users can gen-
erate and manage their API tokens. These tokens usually
have a long lifespan but can be manually revoked by the
user. Laravel Sanctum stores user API tokens in a single
database table and verifies incoming HTTP requests using
the Authorization header that contains a valid API token.
Token Authentication is a method of authenticating users
in a mobile application:
1. The user submits their login credentials to a Login
endpoint within the Laravel application.
2. A token is generated and returned to the mobile ap-
plication after successfully validating the credentials.
3. The token is stored locally and sent with every sub-
sequent request to the Laravel API within the request
header.
4. Laravel API validates the token in the request header
and performs authentication of the request accord-
ingly.
SPA Authentication
Laravel Sanctum doesn’t use tokens for Single Page Ap-
plications (SPAs) but instead relies on session cookies for
authentication. Here's how Sanctum works for SPAs:
64 Authentication in Laravel, Part 2: Token Authentication
1. When a user logs in or signs up, Sanctum generates
a unique, encrypted session cookie that’s returned to
the user's client-side SPA application.
2. The session cookie is stored in the browser's cookie
storage and sent with each subsequent request to
the Laravel application.
3. The Laravel Sanctum middleware validates the ses-
sion cookie and checks whether it’s associated with
a valid user account.
4. If the session cookie is valid, the Laravel application
processes the request and returns the response.
5. If the session cookie is invalid or has expired, the
Laravel application returns a 401 Unauthorized re-
sponse, indicating that the user needs to log in
again.
Laravel Sanctum also provides mechanisms for revoking
session cookies. If a user logs out or their account is
deleted, any active session cookies associated with their
performance can be invalidated. This ensures that unau-
thorized users cannot use an account after deactivating
it.
Overall, Laravel Sanctum is a powerful and flexible pack-
age for Token Authentication that can significantly sim-
plify the building of secure SPA and mobile applications
in Laravel.
Applying Token Authentication
in Laravel
In this section, let’s focus on how to use Laravel Sanctum
to authenticate users. The examples I give include both
SPAs and Mobile applications.
Create a New Laravel Application
Start by creating a new Laravel application. There are
several methods for creating a new Laravel app. I chose
the Docker-based one using the Laravel Sail package. You
can read more about Laravel installation by following this
URL: https://laravel.com/docs/10.x/installation.
Choose the method that best suits you. Before you start,
make sure you have Docker running on your computer.
I'm using a MacBook Pro. I start by running this com-
mand:
curl -s \
"https://laravel.build/token-auth-laravel"\
| bash
This creates a new Laravel application on your computer
under the directory named token-auth-laravel.
After the installer finishes, run the following commands:
1. Build up the Docker container.
./vendor/bin/sail up
2. Install the NPM packages.
./vendor/bin/sail npm install
3. Serve the application.
codemag.com
Figure 1: The Laravel 10 landing page

./vendor/bin/sail run dev Laravel Breeze for API removes your application's front-
end-related files and folders. This makes it suitable for
The application is now accessible at http://localhost. projects that only serve APIs. As a result, the package.
Open the URL in the browser, and you'll see the same json file and other front-end files are removed.
view as in Figure 1.
If you wish to serve your API project using Laravel Breeze
Next, let's install the Laravel Breeze starter kit. The Laravel for API, you can do so by running the following command:
team provides this starter kit for scaffolding Laravel authen-
tication and Profile management. This is my ultimate choice ./vendor/bin/sail \
when starting a new Laravel project. Trust me: It saves you artisan serve
a lot of time! You can read more about Laravel Breeze here:
https://laravel.com/docs/10.x/starter-kits#laravel-breeze. This command starts the Laravel Sail development envi-
ronment and serves your API project.
Laravel Breeze comes in four flavors:
Login Mobile Application Users
• Breeze & Blade The routes/api.php file governs the communication be-
• Breeze & React tween the Laravel API application and a mobile applica-
• Breeze & Vue tion. Let’s explore the content of this file.
• Breeze & Next.js/API
<?php
I'll use Breeze & Next.js/API for this article.
Route::middleware(['auth:sanctum'])
Run the following commands to install Laravel Breeze: ->get('/user', function (Request $request) {
return $request->user();
./vendor/bin/sail \ });
composer require \
laravel/breeze --dev The code snippet defines a GET route at the path /api/
user inside the routes/api.php file. This route is pro-
./vendor/bin/sail \ tected by the auth::sanctum middleware, meaning the
artisan breeze:install api user must be authenticated using Laravel Sanctum before
accessing this route.
./vendor/bin/sail \
artisan migrate The code inside the closure function of the route defi-
nition retrieves the currently authenticated user using
The Laravel Breeze for API added the basic configura- the $request->user() method. This method returns an
tion settings for Laravel Sanctum and all necessary HTTP instance of the authenticated user model if the user is
Controllers to log in, log out, register users, and more. authenticated or null if the user is not.

codemag.com Authentication in Laravel, Part 2: Token Authentication 65

 Listing 1: Authenticate Mobile application users.
public function __invoke(Request $request)
{ $user->password
$request->validate([ )
'email' => 'required|email', ) {
'password' => 'required', throw ValidationException::withMessages([
'device_name' => 'required', 'email' => [
]); 'The provided credentials are incorrect.'
],
$user = User::query() ]);
->where('email', $request->email) }
!ÀUVW 
return $user
if ( ->createToken($request->device_name)
!$user || ->plainTextToken;
!Hash::check( }
When a user makes a GET request to the /api/user end-
point with a valid authentication token, the closure func-
tion returns a JSON response containing the user object,
which includes details such as the user's name, email ad-
dress, and other information stored in the user model.
If the user is not authenticated or the authentication to-
ken is invalid, the auth:sanctum middleware automatically
returns a 401 Unauthorized response, denying the user ac-
cess.
When communicating with Laravel API endpoints, both
the request and response payloads contain JSON data.
Hence, it’s essential to continually include two request
header keys in every request to the API:
• Accept
• Content-Type
The Content-Type header of the request should be set to
application/json because you’re sending JSON data in the
request body. This header tells the server that the request
body is in JSON format and should be parsed as such.
The Accept header, on the other hand, is used to indicate
the desired response format. In this case, you’re return-
ing JSON data, so the Accept header can be set to ap-
plication/json to tell the server that you expect a JSON
response.
Let’s add a new post endpoint to log in users coming from
a Mobile application. To do so, add the following route to
the routes/api.php file:
Route::post('/login', LoginController::class);
Next, let’s create the LoginController class as an invok-
able controller using this command:
./vendor/bin/sail \
artisan make:controller \
API/Auth/LoginController --invokable
I’m placing the new controller inside the app/Http/Con-
trollers/API/Auth folder.
Open the LoginController class and paste the source code
shown in Listing 1 inside the __invoke() controller method.
Let’s explain the code in Listing 1 step by step.
66 Authentication in Laravel, Part 2: Token Authentication
$request->password,
1. The controller method accepts an HTTP request via
the $request parameter.
2. The $request parameter is then validated to ensure
that it contains the required fields for authentica-
tion. These fields are the user's email, password, and
the device name they are using to log in.
3. Next, the method queries the User model to find a
user with the email address provided in the request.
4. If the user is found, their password is checked to
ensure that it matches the password provided in the
request. If the password does not match, a validation
exception is thrown with an error message stating
that the credentials are incorrect.
5. If the user's email and password are validated suc-
cessfully, the method generates a new token for the
user using the createToken() method provided by
Sanctum. This token is associated with the device
name provided in the request.
6. Finally, the method returns the plain text value of
the token to the client. The client can use this to-
ken for subsequent authenticated requests to the
server.
In this case, the result of authenticating a user is that a
new token is generated and sent to the user. This token
should then be added to the header of every future re-
quest to the application.
Back to the original defined route in routes/api.php file:
<?php
Route::middleware(['auth:sanctum'])
->get('/user', function (Request $request) {
return $request->user();
});
Assuming that the user is authenticated and owns a to-
ken, an incoming request to the URL /api/user will be
authenticated using the Sanctum guard represented by
the middleware auth::sanctum.
This middleware first checks if a session cookie exists in
the incoming request (this is the default for SPA applica-
tions). Otherwise, it tries to locate a token in the request
header. For mobile users, that’s the default behavior.
Laravel Sanctum validates the token and accordingly al-
lows or forbids access to the /api/user route.
Now, let's add a few tests to ensure this code runs.
codemag.com
 Listing 2: LoginController Tests
class LoginControllerTest extends TestCase
{
use RefreshDatabase;
/** @test */
public function login_mobile_user()
{ );
$user = User::factory()->create([
'email' => '
[email protected]
', $this->assertDatabaseHas('personal_access_tokens',
'password' => bcrypt('password'),
]);
$response = $this->post('/api/login', [
'email' => $user->email,
'password' => 'password',
'device_name' => 'Bilal iPhone 12',
]);
Create a new test using this command:
./vendor/bin/sail \
artisan make:test \
API/Auth/LoginControllerTest
Paste the source code in Listing 2 inside the LoginCon-
trollerTest file.
Run this test using this command:
./vender/bin/sail \
WHVWÀOWHUORJLQBPRELOHBXVHU
The test should run and pass. Now let's look at it in some
detail and explain exactly what’s happening here.
This test verifies that the /api/login endpoint properly
authenticates mobile users using Laravel Sanctum. Here's
what the test is doing:
1. The use RefreshDatabase statement ensures
that the test database is reset before each test.
This ensures that the tests run with a consistent
state.
2. The $user variable is created using the User::factory()-
>create() method, which makes a new user in the
database. The user is given a specified email and
password for testing purposes.
3. The $response variable is set to the result of sending
a POST request to the /api/login endpoint with the
user's email, password, and device name provided in
the request payload.
4. The $response->assertOk() method verifies
that the server returns a 200 HTTP status code, indi-
cating that the request was successful.
5. The $this->assertNotEmpty($response->get-
Content()) method verifies that the response con-
tent is not empty. Remember, the /api/login end-
point returns the user’s token.
6. The $this->assertDatabaseHas() method verifies
that a personal access token was created for the user
in the personal_access_tokens table with the speci-
fied device name.
Let’s add another test to ensure that the authenticated
user can access the default /api/user endpoint.
Paste the testing method shown in Listing 3 at the end
codemag.com
$response->assertOk();
$this->assertNotEmpty(
$response->getContent()
[
'name' => 'Bilal iPhone 12',
'tokenable_type' => User::class,
'tokenable_id' => $user->id
]);
}
}
Listing 3: More tests for LoginController
/** @test */
public function access_user_endpoint()
{
Sanctum::actingAs(User::factory()->create());
$response = $this->get('/api/user');
$response->assertOk();
}
of the LoginControllerTest file.
Run this test using this command:
./vender/bin/sail \
WHVWÀOWHU"access_user_endpoint"
The test should run and pass. Let’s see the result.
This test verifies that a user can access the /api/user end-
point when authenticated using Laravel Sanctum. Here's how:
1. The Sanctum::actingAs() method logs in a user and
creates a new token for them. The User::factory()-
>create() method creates a new user in the database
and logs them in using Sanctum.
2. The $response variable is set to the result of sending a
GET request to the /api/user endpoint. This endpoint is
protected and requires an authenticated user to access it.
3. The $response->assertOk() method verifies that the
server returns a 200 HTTP status code, indicating
that the request was successful.
Register Mobile Application Users
Next, let’s add an endpoint to allow Mobile application
users to register on the application. For that, create a
new controller for registration using this command:
./vendor/bin/sail \
artisan make:controller \
API/Auth/RegisterController --invokable
Paste the code in Listing 4 inside the newly created con-
troller.
1. The request()->validate() method is used to validate
the incoming request data. This ensures the request
contains valid data before creating a new user.
Authentication in Laravel, Part 2: Token Authentication 67
 Listing 4: Register mobile application user
class RegisterController extends Controller ],
{ 'device_name' => ['required']
public function __invoke(Request $request) ]);
{
request()->validate([ $user = User::create([
'name' => ['required'], 'name' => request('name'),
'email' => [ 'email' => request('email'),
'required', 'password' => bcrypt(request('password')),
'email', ]);
'unique:users,email'
], return $user
'password' => [ ->createToken(request('device_name'))
'required', ->plainTextToken;
'min:8', }
FRQÀUPHG }

Listing 5: Register Controller Tests

class RegisterControllerTest extends TestCase 'device_name' => $user['device_name'],
{ ]);
use RefreshDatabase;
$response->assertSuccessful();
/** @test */
public function register_new_user() $this->assertNotEmpty($response->getContent());
{
$user = [ $this->assertDatabaseHas('users',
'name' => 'Bilal Haidar', [
'email' => '[email protected]', 'email' => $user['email']
'password' => 'password', ]);
'device_name' => 'Bilal iPhone 12',
]; $this->assertDatabaseHas('personal_access_tokens',
[
$response = $this->post('/api/register', [ 'name' => $user['device_name']
'name' => $user['name'], ]);
'email' => $user['email'], }
'password' => $user['password'], }
 SDVVZRUGBFRQÀUPDWLRQ  !XVHU> SDVVZRUG @

2. The validation rules are defined in an array and in-
clude the following:
• name: required, must be present in the request.
• email: required, must be a valid email address,
and must be unique in the users’ table.
• password: required, must be at least eight char-
acters long, and must match the confirmation
password.
• device_name: required, must be present in the
request.
3. A new user is created using the User::create() meth-
od if the validation passes. The user's name, email,
and password are obtained from the request data and
stored in the users’ table.
4. The user's password is encrypted using the bcrypt()
method, which hashes the password and ensures that
it cannot be read in plain text.
5. Finally, the user's personal access token is created
using the createToken() method, which generates
a new token for the user and associates it with the
provided device name. The plainTextToken attribute
of the token is returned to the client, which can be
used to authenticate future requests.
Next, let’s add a test to ensure this endpoint works prop-
erly.
Create a new test using this command:
./vendor/bin/sail \
artisan make:test \
API/Auth/RegisterControllerTest
Paste the code in Listing 5 inside the RegisterControl-
lerTest file.
The register_new_user() test method creates a new user
array with the following fields:
• name: the name of the user
• email: the email address of the user
• password: the password of the user
• device_name: the device's name associated with
the user's access token
The test then makes a POST request to the /api/register
endpoint with the user data in the request body.
The assertSuccessful() method ensures that the response
has a status code of 200 or 201, indicating that the user
was successfully created.
The assertNotEmpty() method is used to ensure that the
response content is not empty.
The assertDatabaseHas() method ensures that the new-
ly created user is stored in the database. The first call
checks for the existence of the user's email in the users'
table, and the second call checks for the presence of the
device name in the personal_access_tokens table.
Logout Mobile Application Users
Let’s look at how to implement a log out functionality
for your mobile application users. Start by creating a new
controller and add a new route to routes/api.php file.

68 Authentication in Laravel, Part 2: Token Authentication codemag.com

Run this command to create a new LogoutController class.
./vendor/bin/sail \
artisan make:controller \
API/Auth/LogoutController --invokable
Next, add the /api/logout route inside the routes/api.
php file. You want only authenticated users to access the
logout route. Therefore, refactor the routes/api.php file a
little, as shown in Listing 6.
Let’s now add the functionality to log out the user. Re-
place the __invoke() method inside LogoutController
class with the following code snippet:
public function __invoke(Request $request)
{ time of that session.
return request()
->user()
->currentAccessToken()
->delete();
}
The currentAccessToken() method is called on the authen-
ticated user to retrieve the access token associated with
their current session. Calling the delete() method on the
access token deletes it and effectively logs out the user.
Next, let’s add a test to ensure this endpoint works properly.
Create a new test using this command:
./vendor/bin/sail \
artisan make:test \
API/Auth/LogoutControllerTest
Paste the code in Listing 7 inside the LogoutController-
Test file. The test in Listing 7 does the following:
1. The Sanctum::actingAs($user) method is called to
authenticate the newly created user by generating
an access token using Laravel Sanctum's actingAs()
method. This allows the user to make authenticated
requests to the API.
2. The $this->post('/api/logout') method is used to
send a POST request to the /api/logout route to log
out the authenticated user.
3. The assertOk() method is called on the response ob-
ject to ensure that the response status code is 200
OK, indicating that the logout request was success-
ful.
4. The $this->assertDatabaseCount('personal_access_
tokens', 0) method is used to ensure that the ac-
Listing 7: LogoutController tests
class LogoutControllerTest extends TestCase
{
use RefreshDatabase;
/** @test */
public function logout_user()
{ $this->assertDatabaseCount(
$user = User::factory()->create([
'email' => '
[email protected]
', 0
'password' => bcrypt('password'),
]);
codemag.com
cess token associated with the authenticated user
has been deleted from the personal_access_tokens
database table.
Configure Laravel Sanctum for SPA Applications
Laravel Sanctum uses Laravel's cookie-based session au-
thentication to authenticate users in your SPA applica-
tion. The log in workflow goes as follows:
1. Start by requesting a CSRF cookie from Sanctum,
which allows you to make CSRF-protected requests to
normal endpoints like /login.
2. Then, request the normal Laravel /login endpoint.
3. Laravel issues a cookie holding the user's session.
4. Any future requests to the Laravel API now include
this cookie, so your user is authenticated for the life-
Configuration settings are needed when trying to authen-
ticate your SPA using Laravel Sanctum. I will detail them
in this section step by step so that you can follow along.
First, your SPA and Laravel API must be on the same top-
level domain. You cannot have your SPA on domainA.com
and the Laravel API on domainB.com. The reason is that
Laravel Sanctum sets up an HttpOnly Lax cookie. This
cookie is secure and cannot be read or stolen. But most
importantly, it cannot be shared across different domains.
You can read more about HttpOnly and Lax cookies here:
https://developer.mozilla.org/en-US/docs/Web/HTTP/
Headers/Set-Cookie.
Now, create a Vue3 application to use while setting up
and configuring Laravel Sanctum for SPA authentication.
Run the following command to create a new Vue3 project.
npm init vue@latest
Follow the instructions on the screen to create and
run your SPA application. Notice the last step. When
Listing 6: Add logout route to routes/api.php
Route::post('/login', LoginController::class);
Route::post('/register', RegisterController::class);
Route::middleware(['auth:sanctum'])
->group(function() {
Route::get('/user', function (Request $request) {
return $request->user();
});
Route::post('/logout', LogoutController::class);
});
Sanctum::actingAs($user);
$response = $this->post('/api/logout');
$response->assertOk();
'personal_access_tokens',
);
}
}
Authentication in Laravel, Part 2: Token Authentication 69
 you run the SPA application, the application URL is:
http://127.0.0.1:5173.
Note also, when you run the Laravel API application, it
will be running on the default URL and route: http://
localhost:8000.
Both applications have the same top-level domain; hence,
Laravel Sanctum can be used.
Start by configuring the CORS. What is CORS anyways?
CORS stands for Cross-Origin Resource Sharing, a security
feature implemented in modern web browsers that allows
web applications to make cross-origin requests to APIs
or resources hosted on other domains. In simpler terms,
CORS is a mechanism that allows a web page to request a
different domain than the one that served the web page.
By default, web browsers prevent web pages from making
cross-origin requests to resources on different domains to
prevent malicious attacks, such as cross-site scripting and
cross-site request forgery.
CORS provides a way for web developers to specify which
domains are allowed to make cross-origin requests to
their resources and which types of requests are allowed
(e.g., GET, POST, PUT, DELETE, etc.).
CORS works by adding specific headers to HTTP requests and
responses that indicate whether a particular request is al-
lowed. These headers include Access-Control-Allow-Origin,
Access-Control-Allow-Headers, Access-Control-Allow-Meth-
ods, and Access-Control-Allow-Credentials, among others.
What is an Origin anyway? An Origin is a combination of
a scheme (also known as the protocol, for example, HTTP
or HTTPS), hostname, and port (if specified).
Therefore, the domains we have so far, http://local-
host:5173 and http://locationhost:8000, have two dif-
ferent origins because the ports are different. That’s why
you should configure CORS at the Laravel API application
to allow this communication between two applications
hosted on two different origins.
To configure the CORS in a Laravel application, go to the
config/cors.php file. Listing 8 shows the content of this file.
Listing 8: CORS.config file
return [
'paths' => ['*'],
'allowed_methods' => ['*'],
'allowed_origins' => [env(
'FRONTEND_URL', 'http://localhost:3000'
)],
'allowed_origins_patterns' => [],
'allowed_headers' => ['*'],
'exposed_headers' => [],
'max_age' => 0,
'supports_credentials' => true,
];
70 Authentication in Laravel, Part 2: Token Authentication
Let’s explain some of the settings in this file.
The path field specifies which Laravel route paths accept
cross-origin requests. The asterisk here means all paths in
this application can accept cross-origin requests.
The allowed_methods field specifies what HTTP methods
can be received on a cross-origin request. This can be
POST, GET, PUT, etc. The asterisk here means all methods
are allowed on cross-origin requests.
The allowed_origins field specifies what Origins are al-
lowed to send requests to this Laravel API application.
In this case, it only allows the Origin specified in the
FRONTEND_URL environment variable. In case you don’t
configure this environment variable, it automatically as-
sumes the SPA is hosted over http://location:3000.
The allowed_origins_pattern field allows you to specify
a regex (https://regexr.com) to match the Origins.
The allowed_headers field specifies what HTTP Headers are
allowed to send in cross-origin requests. The asterisk here
means all HTTP Headers are allowed for cross-origin requests.
The exposed_headers field specifies what HTTP Headers
this Laravel API application would like to share with the
SPA JavaScript application.
The max_age field specifies the amount of time to cache
Preflight CORS requests. Let’s explore Preflight requests.
Preflight requests are a mechanism used by the browser to
determine whether it’s safe to make a cross-origin request to
a server. A preflight request is an HTTP OPTIONS request sent
to the server before the actual cross-origin request is made.
The preflight request includes headers such as Origin,
Access-Control-Request-Method, and Access-Control-Re-
quest-Headers, which specify the origin of the request,
the HTTP method that will be used in the actual request,
and the custom headers that will be sent in the actual
request, respectively.
The server must respond to the preflight request with the
appropriate CORS headers, including Access-Control-Allow-
Origin, Access-Control-Allow-Methods, and Access-Control-
Allow-Headers, indicating that the request is allowed and
which origins, methods, and headers are allowed.
Once the browser receives the appropriate CORS headers
in response to the preflight request, it proceeds with the
actual cross-origin request.
Finally, the supports_credentials field specifies whether
the Laravel API application wants to share the Cookies
with the SPA application.
Now open the .env file and update the FRONTEND_URL
environment variable to match the URL of the SPA ap-
plication.
FRONTEND_URL=http://localhost:5173
Make sure you don’t add a trailing forward slash. That’s
very important to remember.
codemag.com
Next, you need to add the SESSION_DOMAIN environ-
ment variable. This variable defines the cookie domain
used to identify a session in the Laravel API application.
This will determine which domains the cookie is available
to in your application.
SESSION_DOMAIN=localhost
Add the following line to the application’s .env file as
follows:
SANCTUM_STATEFUL_DOMAINS=localhost:5173
That’s all you need to configure Laravel Sanctum to au-
thenticate SPA users.

Ensure that you don’t add a trailing forward slash, a port
number, or a scheme (HTTP and HTTPS).
Finally, you need to add one more environment variable,
the SANCTUM_STATEFUL_DOMAINS.
SANCTUM_STATEFUL_DOMAINS is an environment variable
used in Laravel Sanctum that specifies the domains for
which Sanctum's stateful authentication mechanisms will
be used.
Stateful authentication in Sanctum involves cookies to
authenticate the user. When a user logs in, Sanctum cre-
ates a cookie containing a signed JSON Web Token (JWT)
that identifies the user. This cookie is sent with every
subsequent request to the server, allowing the server to
authenticate the user without requiring their credentials
with each request.
However, cookies can only be sent to the domain that
sent them and not to other domains. This means that if
you have a single-page application (SPA) that requests
your API from a different domain, the cookies that Sanc-
tum sets for authentication won't be sent with the re-
quests, and the user won't be authenticated.
To enable stateful authentication for a different domain,
add the domain to the SANCTUM_STATEFUL_DOMAINS
environment variable. This tells Sanctum to also allow
cookies to be sent to that domain, so the user can be
authenticated across domains.
Login SPA Users
When you installed Laravel Breeze for APIs, it included
all the necessary server-side code to authenticate, log
out, register, reset passwords, and many other functions.
Navigate to app/Http/Controllers/Auth folder and study
the code.
Locate the routes/web.php file and navigate to the last
line in that file:
require __DIR__.'/auth.php';
It requires the auth.php routes file. If you open this file,
you will find all the necessary routes to Login, Logout,
Register, Reset Password, and many other routes you need
for your SPA.
For instance, here is a code snippet to show the endpoint
route to allow SPA users to log in to the application:
Route::post('/login', [
AuthenticatedSessionController::class,
'store'
])
->middleware('guest')
->name('login');
The AuthenticatedSessionController@store method is
responsible for authenticating the user. This is the same
logic used in any Laravel application, not only in Laravel
API applications.

Listing 9: Login.vue component

<script setup> }
import axios from 'axios'
import { ref } from 'vue' </script>

axios.defaults.withCredentials = true <template>

<div>
const form = ref({
email: null, <h2>Sign in to your account</h2>
password: null,
}) <form @submit.prevent="onLogin">

const user = ref() <label>Email address</label>

<input v-model="form.email">
const onLogin = async () => {
await axios.get( <label>Password</label>
'http://localhost:1006/sanctum/csrf-cookie' <input v-model="form.password">
)
<button>Sign in</button>
await axios.post(
'http://localhost:1006/login', { </form>
'email': form.value.email,
'password': form.value.password, <pre>
}) {{ user }}
</pre>
let { data } = await axios.get(
'http://localhost:1006/api/user' </div>
) </template>

user.value = data

codemag.com Authentication in Laravel, Part 2: Token Authentication 71

 Laravel Sanctum
Sanctum offers token
authentication, which allows
users to obtain access tokens
and use them to access
protected API routes. Sanctum
uses Laravel’s built-in session
and cookie authentication
for managing tokens, making
it more suitable for use in
applications where there’s a
mix of traditional web views
and API endpoints.
72 Authentication in Laravel, Part 2: Token Authentication
Figure 2: The Login page in-action
Let’s add an HTML Form to the SPA application to allow
the user to log in to the Laravel API application.
First, let’s install Axios (https://axios-http.com/docs/
intro) into the SPA application. Navigate to the SPA ap-
plication and run the following command:
npm install axios
One nice thing I like about Axios is that it does some
things out of the box. For example, it takes the CSRF
cookie generated by the Laravel application and sets it as
an HTTP Header when sending the requests to the Laravel
API application.
Also, I’ve installed and configured Taliwindcss. To install
Tailwindcss, follow this guide: https://v2.tailwindcss.
com/docs/guides/vue-3-vite
Add a new Login.vue component. Paste the code you see
in Listing 9 inside this new component file.
Let’s discover the significant sections of the Login com-
ponent.
1. Start by importing the Axios and ref functions from
the Vue library.
2. Set the Axios.defaults.withCredentials configuration
property to true allowing cross-site requests to include
credentials such as cookies.
3. Create a reactive form object with email and pass-
word properties initialized to null.
4. Create a reactive user object to hold the user data
once logged in.
5. Define an onLogin() function that will be called
when the form is submitted. This function does the
following:
• Sends a request to the server to get a CSRF to-
ken by calling axios.get('http://localhost:1006/
sanctum/csrf-cookie'). This request is a must to
let the Laravel API application issue a CSRF token
to protect all of the non-GET requests.
• Sends a POST request to the server to authenti-
cate the user by calling axios.post('http://loc-
alhost:1006/login', { email: form.value.email,
password: form.value.password }).
• Sends a GET request to the server to get the user data
by calling axios.get('http://localhost:1006/api/
user'). The user data is stored in the data variable.
• Sets the user object to the data variable so that
it can be displayed in the template.
6. Include an HTML form with a submit binding @sub-
mit.prevent=”onLogin”
7. Bind the email and password fields of the HTML form
to the corresponding form.email and form.pass-
word fields.
When the user clicks the button, the form submits, and
eventually, the user details are retrieved accordingly for a
successful login request.
codemag.com

One last step is to import the Login.vue com-
ponent into the App.vue component to see the
Login page in the browser.
Figure 2 shows the result of trying the Login
form in the browser.
By doing this, you finish implementing Laravel
Sanctum for both SPA and Mobile applications.
Conclusion
Laravel offers comprehensive solutions for se-
curity, including authentication, authorization,
and other related features. You can confidently
add a robust security layer to your application
with the necessary knowledge. In the next in-
stallment of this series on building MVC appli-
cations with Laravel, I’ll delve into the topic of
Authorization in Laravel.
Happy Laravelling!
Bilal Haidar
[email protected]
[email protected]
[email protected]
.
codemag.com
CODE COMPILERS
(Continued from 74)
Snowbird environment being one built on trust,
on respect-centered values within which people Sep/Oct 2023
wanted to work. Finally, it all boiled down to Volume 24 Issue 5
Agile being about “mushy stuff of values and
culture.” Channeling Hamilton, the history Group Publisher
page is a contemporaneous account by one who Markus Egger
was in the room when it happened! Associate Publisher
Rick Strahl
What Lies at the Heart Editor-in-Chief
Rod Paddock
of Agile? Managing Editor
Among other things, egalitarianism, the notion Ellen Whitney
of equality is at the heart of Agile. At Snowbird,
there were 17 supremely talented and interna- Contributing Editor
John V. Petersen
tionally recognized thought leaders who, no
doubt, disagreed on many things while at the Content Editor
Melanie Spiller
same time, agreed on many things. To check
most of the differences and ego for the ben- Editorial Contributors
efit of what the group set out to do, ultimately Otto Dobretsberger
Jim Duffy
for the benefit of the whole world was egali- Jeff Etter
tarianism through a “deliberative assembly” or Mike Yeager
sorts. In Denmark, the parliament is called the
Writers in This Issue
Folketing (people’s thing). The “things” were Markus Egger Bilal Haidar
deliberative assemblies, such as a tribal coun- Joydip Kanjilal Julie Lerman
cil. While there was structure and a hierarchy, Sahil Malik John Petersen
Paul D. Sheriff Shawn Wildermuth
any man was free to plead his matter and be
heard. In any conflict resolution, there’s give Technical Reviewers
and take. Nobody gets everything. But if not Markus Egger
Rod Paddock
done well, everybody gets nothing. In this re-
gard, it should almost be instinctual to cooper- Production
Friedl Raffeiner Grafik Studio
ate. But it’s often difficult because egos get www.frigraf.it
involved, and that’s why being Agile is so dif- Graphic Layout
ficult. Individually, each must live the values so Friedl Raffeiner Grafik Studio in collaboration
that collectively, the group can. There’s plenty with onsight (www.onsightdesign.info)
of room for compromise, but that compromise Printing
must be subject to Agile values. Agile requires Fry Communications, Inc.
active cooperation, active accountability, and 800 West Church Rd.
Mechanicsburg, PA 17055
active engagement. Anything less and you’ll be
introducing dysfunction, the seeds of technical Advertising Sales
debt, into your organization. Tammy Ferguson
832-717-4445 ext 26
If you’re in a decision-making capacity and if
you’re either seeking to implement Agile or Circulation & Distribution
General Circulation: EPS Software Corp.
address some Agile dysfunction, you’d be well Newsstand:American News Company (ANC)
served to look at history. Look at the history
of how Agile came to be. And from there, look Subscriptions
Subscription Manager
to how the basis of that is rooted in the earli- Colleen Cade
est democratic practices in recorded history in
order to understand what Agile actually is and
US subscriptions are US $29.99 for one year. Subscriptions
to understand what lies at the heart of Agile. outside the US are US $50.99. Payments should be made
If your organization runs its software develop- in US dollars drawn on a US bank. American Express,
ment operation like a top-down hierarchy, Agile MasterCard, Visa, and Discover credit cards accepted.
Back issues are available. For subscription information,
won’t work. Just as you can’t fly a car, you can’t e-mail
waterfall Agile.
Subscribe online at
www.codemag.com
John V. Petersen
CODE Developer Magazine
6605 Cypresswood Drive, Ste 425, Spring, Texas 77379
Phone: 832-717-4445
CODA: What Lies in Agile’s Heart? 73
 CODA
CODA:
What Lies at Agile’s Heart?
As soon as I heard the term applied to software development and considering the 17 individuals who
codified, ratified, and released the Agile Manifesto in February, 2001, I instinctively knew the trail the
Agile Manifesto’s authors were blazing was the right path. I knew that because Agile wasn’t conjured
out of whole cloth. Many of the practices we
refer to as Agile pre-date Agile. In spite of
being so difficult to implement and the nay-
saying, I’ve always regarded the journey, along
with the pain of experience, to be worth it
because that’s the necessary feedback we need
to improve. A common refrain for a typical
team may be “Our releases are too buggy; we
need to reduce defects.” How do we do that?
The answer lies in the heart of Agile. Let’s go
find it.
If you’re not familiar with the Agile Manifesto
or if it has been a while since you’ve read it,
take some time to review: www.agilemani-
festo.org. One page that’s often overlooked
is Jim Highsmith’s history page: www.agile-
manifesto.org/history.html. Jim is one of the
17 Agile authors. As it turns out, that history
page has been an easter egg of sorts, hiding in
plain sight, for it gives us an inkling of what
lies in Agile’s heart.
Doesn’t the Agile Manifesto
Already Answer the Question?
No, it doesn’t. The Manifesto is the by-product
of, among other things, Agile practices. That’s
how we know Agile wasn’t conjured out of
whole cloth. Somewhere between various prac-
tices being created and implemented and the
formal Manifesto, something was brought to
bear. Therefore, although we can look to the
Manifesto to know what Agile is, we must peel-
back the onion to get to the root of what lies
at the heart of Agile.
The Manifesto’s Values
There are four values:
• Individuals and interactions over process-
es and tools
• Working software over comprehensive
documentation
• Customer collaboration over contract ne-
gotiation
• Responding to change over following a
plan
The context for these four values is found in the
following affirmation [emphasis added]:
74 CODA: What Lies in Agile’s Heart?
We are uncovering better
ways of developing
software by doing it and
helping others do it.
Agility is an active, not a passive thing. Agil-
ity is practiced by being it, not talking about
it. The principle concern is quality software
through better means. The work itself is the
only input the arbiter of quality should need to
consider because values are in the work itself.
Therefore, the only lens to view quality through
is the work.
The four values on the left in the Manifest
could be distilled into four words:
• Cooperation
• Accountability
• Engagement
• Agility
The Manifesto closes with [emphasis added]:
While there is value in the
items on the right, we value
the items on the left more.
The closing statement is pragmatism in ac-
tion. If a process must be followed because
of some law, rule, or regulation, then it must
be followed. It’s often necessary for software
development to seek better ways for its Agile
environment to accommodate processes, tools,
plans, or other terms and conditions that, his-
torically, have been carried out in a non-Agile
manner. Despite best efforts, tension may rise
between the values on the left and the right.
How to deal with that tension is often a make-
or-break proposition for Agile’s success in an
organization. These values are based on what
lies at the heart of Agile. Get your goggles on,
we have more onion peeling to do!
The Manifesto’s Principles
The Manifesto’s principles are found here:
http://agilemanifesto.org/principles.html.
From a historical perspective, the Agile Mani-
festo was released after the February 2001
meetings at the Snowbird Ski Resort in Salt
Lake City, UT. The 12 principles were published
soon thereafter. The principles are very impor-
tant in that they transcend specific practices.
Although the principles are important, they
aren’t relevant for this inquiry into what lies
at the heart of Agile because the principles are
backstopped by the values. Their essence is
that matter what we specifically do in the Ag-
ile space, we must always transparently inspect
and adapt our work. And that process involves a
constant inquiry into whether what we’re doing
is consistent with Agile Principles and Values.
It's worth mentioning that this question of
what lies at the heart of Agile may either be
simple or impossible. It just depends on where
you begin your journey. In my experience, most
Agile advocacy content begins with a tool. In
such cases, the advocacy is substantively prod-
uct advertising. “Use our tool and your Agile
implementation will be smooth” is often the re-
frain. If you’ve settled on Agile, jumping from
tool to tool won’t work because no tool can
ever be the thing that tells you what Agile is
and makes you understand it better. For sure, a
tool may help you better apply Agile. But when
things go wrong and you must diagnose your
“Agile dysfunction,” no tool is going to help
you. Your values and your commitment to them
are your only fuel source. What is that “Agile
dysfunction” you’re dealing with? Why aren’t
things working? We can answer that question
by analogy and looking to what happened at
Snowbird in 2001.
The “Deeper Theme”
I’m closing this installment with what was
mentioned at the outset, the history page:
http://agilemanifesto.org/history.html. I must
confess that for many years, I never read this
page. But once I did, it all became clear. There’s
discussion of a “deeper theme that drives many,
but not all…”. There’s further discussion on the
(Continued on page 72)
codemag.com
 CUSTOM SOFTWARE DEVELOPMENT
STAFFING TRAINING/MENTORING SECURITY

MORE THAN JUST

A MAGAZINE!
Does your development team lack skills or time to complete all your business-critical software projects?
CODE Consulting has top-tier developers available with in-depth experience in .NET,
web development, desktop development (WPF), Blazor, Azure, mobile apps, IoT and more.

Contact us today for a complimentary one hour tech consultation. No strings. No commitment. Just CODE.

codemag.com/code
832-717-4445 ext. 9 • [email protected]
 DO YOU WONDER
HOW ARTIFICIAL
INTELLIGENCE CAN
HELP YOUR BUSINESS?
Do you worry about privacy or regulatory issues stopping you from using AI to its fullest?
We have the answers!

We will send an expert to your office to meet with you. You will receive:
1. An overview presentation of the current state of AI.
2. Learn how to use AI in your business while ensuring privacy of your and your clients’ information.
3. We’ll build a sample application built on your own HR documents – allowing your employees to query
those documents in English, which will cut down the number of questions that you
and your HR group have to answer.
4. A roadmap for future use of AI catered to what you do.

CONTACT US TODAY FOR A FREE CONSULTATION AND DETAILS ABOUT OUR SERVICES
codemag.com/executivebriefing
832-717-4445 ext. 9 • [email protected]