The sample code you provided works because the data being modified on SumEditorViewModel is the same instance with that of the Item.Sum entity being passed by the ResultEditorViewModel. But, how do you pass data from a DataEditorViewModelBase to another DataEditorViewModelBase with a DataListViewModelBase in between, on the same manner that a view model sends data to a DataEditorViewModelBase? Say an Editor opens a new list and sends an instance of this.Item.SomeRelatedList property (is this even possible? sending list data from an editor?). Then, each item from SomeRelatedList intance are modified through each editor... and that any change to each item should be reflected to the main editor view. Picture this... > EDITOR A > LIST > EDITOR B. The calculated results for changes on EDITOR B should be reflected on EDITOR A as well.

Hi Arief,

Thanks for your response.

Yes, actually it was deliberately not implemented with anything, Our engineer reasoning is each company may go through a different process to verify their user. One of the prominent example is Banking, they may go a great length to compare each of their customer credential while Simple Apps can just mark a field in the db, which will cause re-invalidate in the code.

First off, we don't have a custom scenario here. Others may go a greater length to secure their data but we're talking simple and expected default behaviors. And besides, securing data even going through extra miles should be done on the Web API or the at back-end. The ability of the Crosslight framework to react to denial of access, that is our concern here.

Maybe in your scenario of re-login you can create new field named RequiredLogin, everytime desktop apps edits the credential the RequiredLogin become true, then in the client code, they can check the value in that Verify method, of course, by calling to server and grab the value.

Why would you do this when the client application has already been denied access? I mean, there's an authorization error message, right? It's not about what we can do, it's about how Crosslight's AppFramework should have just navigated to the login viewmodel instead of showing an error message.

Okay, to make things simpler... run your MyInventory sample based on Web API that has security features. Please make sure [Autorize] is enabled on your Web API. Run both the app from iOS and Android device and login as expected. Or from different devices... doesn't matter if they're both the same platforms. Close the app from both devices and re-open it. Now, change your password from one of the devices, then refresh the list from the other device, which contains the outdate credentials. That should throw an exception (e.g. AuthenticationException) on the device with an outdated set of credentials. This is a common scenario and should have been dealt with a default behavior.

Issue #1, while most of the processes in your security implementation has a default functionality, this one doesn't. It just returns true, without a default behavior? Why would you create a business template that doesn't have a default functionality to verify credentials using the default table structures shown here or using social login (FYI: we're not using this)? While it is true that we can override the VerifyAsync() method to customize its behavior, without a default behavior it doesn't make any sense. Enough said with that, I guess it is what it is... but we trust Intersoft wouldn't have missed this.

Issue #2, regarding the error message returned by the RestClient ("Authorization has been denied for this request") - what happens if you change your password from an iOS device and later use the app on an Android device with old credentials already stored in it? It's like the user would say "Yey, I'm in! Oh wait! There's an error." Common sense might tell the user to just logout and re-login because he knows he changed his password from an iOS device. But that is not a very good user experience. Especially for those who do not understand what the error message means. Should we expect the user to just logout from the Android device when he/she sees the error message?

We all expect that a LoginViewModel is available and that it is being used by the line of code below. Don't know what the purpose of that is. Why is it there anyway if not in used for this kind of scenarios? There is also a method called EnsureSignedIn(), but I don't believe this is implemented anywhere in a business template and we couldn't tell in which scenarios it could be useful. Maybe useful for issue #2? Kindly elaborate on this one if it's not already documented.

// Initialize the account service
this.AccountService.Initialize(typeof(LoginViewModel));

Thanks!