Skip links

The Blinking Caret

jQuery

Secure an ASP.NET Core Web Api using Cookies

by 3 Comments

There’s this frequent notion that you need to use tokens to secure a web api and you can’t use cookies.

That’s not the case. You can do authentication and authorization in a Web Api using cookies the same way you would for a normal web application, and doing so has the added advantage that cookies are easier to setup than for example JWT tokens. There are just a few things you need to be aware.

This blog post is about how you can secure an ASP.NET Core Web Api using cookies (if you are looking for how to secure a Web Api using JWT tokens check out Secure a Web Api in ASP.NET Core and Refresh Tokens in ASP.NET Core Web Api).

A padlock suggesting ASP.NET Web Api Security

Configuration required to make cookies work in a Web Api

If one of the clients of your Web Api is a web application (e.g. an Angular app)
and the Web Api and the Angular application are running in different domains (most common scenario) using cookies will not work without some extra configuration.

This might be the reason why using JWT tokens seems to be what people default to. If you try to setup your authentication the same way you would a traditional web application (e.g. an ASP.NET MVC web app) and then perform AJAX requests for logging in and out you’ll soon discover that they seem to do nothing.

For example, when you try to login to your web api using jQuery:

$.post('https://yourdomain.com/api/account/login', "username=theUsername&password=thePassword")

Your response won’t show any error. If you inspect the response it will even have the Set-Cookie header but the cookie will seemingly be ignored by the browser.

To add to the confusion you might even have CORS configured correctly for your Web Api and still see this behavior.

Turns out that you have to do some work in the client as well. The next sections describe what you need to do, both in terms of the server configuration and also the client.

You can find an example project here that is nothing more than the ASP.NET default template with authentication set to Individual User accounts stripped out of all the UI and adapted to be consumed as a Web Api. The sample project also contains an Angular application that consumes the Web Api.

Server side configuration

What you need to do server-side is to configure ASP.NET’s cookie authentication middleware and also setup CORS so that your Web Api “declares” it accepts requests from the domain where your client is hosted.

To setup the cookie middleware you have to setup the authentication middleware in your Startup.csConfigurateServices method:

public void ConfigureServices(IServiceCollection services)
{
    //...
    services.AddAuthentication(options => { 
        options.DefaultScheme = "Cookies"; 
    }).AddCookie("Cookies", options => {
        options.Cookie.Name = "auth_cookie";
        options.Cookie.SameSite = SameSiteMode.None;
        options.Events = new CookieAuthenticationEvents
        {                          
            OnRedirectToLogin = redirectContext =>
            {
                redirectContext.HttpContext.Response.StatusCode = 401;
                return Task.CompletedTask;
            }
        };                
    });

Here I’m naming the cookie authentication scheme as “Cookies” (that’s AddCookie‘s first parameters). We’ll have to reference this name later when implementing the login endpoint.

I’m also naming the cookie that will be created as auth_cookie (options.Cookie.Name = "auth_cookie"). If the consumer of your Web Api is a web client (for example an Angular application) you don’t have to deal with the name of the cookie. However, if you are writing a C# client using HttpClient you might need to read and store the value of the cookie manually. Having an explicit name is easier to remember than the default name, which is .AspNet. + authentication scheme name (in this case that would be .AspNet.Cookies).

Regarding SameSiteMode I’m setting it to None. SameSite is used when setting the Cookie (it controls an attribute with the same name in the Set-Cookie header). It’s values are Strict and Lax. Strict means that the cookie will only be sent by the browser for requests that originate from the domain of the cookie. With this value the browser won’t even send the cookie if you have a website that has a link to yours.

With Lax the browser will send the cookie for requests that originate in the cookie’s domain and cross-origin requests that don’t have side effects (i.e. will be sent with a GET but not with a POST). A cross-origin request is a request that is sent from a url different than the destination url (for most browsers even having different ports, e.g.: localhost:8080 to localhost:8081) will make a request be considered cross-origin.

If you set it to SameSiteMode.None as we did, the samesite attribute isn’t included. That has the consequence of the browser sending the cookie along for all requests, which is what we want.

As an aside, if you need to debug problems with cookies prefer Firefox’s developer tools to Chrome’s. Chrome will not show you the Set-Cookie header if it’s not for the domain where the request originated (checked version 67.0.3396.99).

Finally, I’m redefining what happens when the authentication fails. Usually the cookie middleware produces a 302 redirect response to a login page. Since we are building a Web Api we want to send the client a 401 Unauthorized response instead. That’s what the custom OnRedirectToLogin will do.

When using ASP.NET Core Identity (which is what the demo project uses) this configuration is a little bit different. You won’t have to worry about naming the cookie authentication scheme since ASP.NET Core Identity provides a default value. Also, the redefinition of what happens on the OnRedirectToLogin is a little bit different (but similar enough that it shouldn’t be a problem to understand after seeing this one).

That’s it for the authentication middleware, but still on the ConfigureServices method we also need to add CORS. Just add this line:

services.AddCors();

Finally, in Startup.csConfigure method add the authentication and CORS middleware to the pipeline (before the MVC pipeline):

public void Configure(IApplicationBuilder app, IHostingEnvironment env)
{
    //...
    app.UseCors(policy =>
    {
        policy.AllowAnyHeader();
        policy.AllowAnyMethod();
        policy.AllowAnyOrigin();
        policy.AllowCredentials();
    });

    app.UseAuthentication();
    //...
    app.UseMvc();

Our CORS configuration does not put any restriction on the potential clients of the Web Api. Of particular importance here is the AllowCredentials option. Without it, the browser will ignore the response to any requests that are sent with Cookies (see the Access-Control-Allow-Credentials section in MDN’s documentation on CORS).

Login and Logout actions

The Login and Logout actions are similar to what you would have for a normal MVC application. The only difference here is that we won’t return any content in the responses, just responses with the appropriate status code.

Here’s an example of how the Login method could look like:

[HttpPost]
public async Task<IActionResult> Login(string username, string password)
{
    if (!IsValidUsernameAndPasswod(username, password))
        return BadRequest();

    var user = GetUserFromUsername(username);

    var claimsIdentity = new ClaimsIdentity(new[]
    {
        new Claim(ClaimTypes.Name, user.Username),
        //...
    }, "Cookies");

    var claimsPrincipal = new ClaimsPrincipal(claimsIdentity);
    await Request.HttpContext.SignInAsync("Cookies", claimsPrincipal);

    return NoContent();
}

Notice that we are referencing the “Cookies” authentication scheme we’ve defined in Startup.cs.

The Logout method could look like this:

[HttpPost]
public async Task<IActionResult> Logout()
{
    await HttpContext.SignOutAsync();
    return NoContent();
}

In the demo project we rely on ASP.NET Core Identity which provides the UserManager and SignInManager classes that provide identical functionality of what is described above.

The Client

When consuming a Web Api that uses cookies using a browser client you need to be aware of some quirks. Namely of the behavior of XMLHttpRequest and the Fetch Api. If your client is not running in a browser (e.g. a C# application), apart from having to know how to save/restore cookies, there are no hurdles.

There are two ways to perform AJAX requests in the browser. Using XMLHttpRequest or using the Fetch Api. Even if you are using some library or framework (e.g. jQuery or Angular) it’s one of these two that is being used.

When you perform a request using any of these options and the response contains a Set-Cookie header it will be ignored silently. And the documentation on this is not very clear, for example in XMLHttpRequest’s MDN documentation:

XMLHttpRequest.withCredentials

Is a Boolean that indicates whether or not cross-site Access-Control requests should be made using credentials such as cookies or authorization headers.

withCredentials is the flag you need to set to true so that cookies aren’t ignored when they are set by a response (Set-Cookie header) and it is also the flag that you need to have so that cookies are sent in requests.

If you dig into the MDN documentation this is described this way:

In addition, this flag is also used to indicate when cookies are to be ignored in the response … XMLHttpRequest from a different domain cannot set cookie values for their own domain unless withCredentials is set to true before making the request…

There you go, that flag serves two different purposes. Reminds me of this tweet:

 

Since it’s most likely you will not be making requests with XMLHttpRequest manually I’ll abstain from including an example for it here and include instead one for jQuery, another for Angular and another with the Fetch Api.

JQuery

For jQuery you can perform a request with withCredentials set to true this way:

$.ajax({
    url: 'http://yourdomain.com/api/account/login?username=theUsername&password=thePassword', 
    method: 'POST', 
    xhrFields: {
        withCredentials: true
    }
});

Every request needs to have the withCredentials flag.

Doing this with with $.ajax can get tedious fast. Thankfully you can just use $.ajaxSetup and set it there:

$.ajaxSetup({xhrFields: {withCredentials: true}});

Now every subsequent request you perform with jQuery ($.get, $.post, etc) will be done with the withCredentials flag set to true.

Angular

With Angular you can specify options on each call using HttpClient from @angular/common/http, for example:

this.httpClient.post<any>(`http://yourdomain.com/api/account/login?username=theUsername&password=thePassword`, {}, {
  withCredentials: true 
}).subscribe(....

Or, more conveniently, you can create an HttpInterceptor that will add that option to every request for you:

import { Injectable } from '@angular/core';
import { HttpInterceptor, HttpEvent, HttpRequest, HttpHandler } from '@angular/common/http';
import { Observable } from 'rxjs/Observable';

@Injectable()
export class AddWithCredentialsInterceptorService implements HttpInterceptor {
    intercept(req: HttpRequest<any>, next: HttpHandler): Observable<HttpEvent<any>> {
        return next.handle(req.clone({
            withCredentials: true
        }));
    }
}

Fetch Api

If you are using the more modern Fetch API you need to add the property credentials with value include with every request that might result in a response that creates cookies or requests for which cookie are to be sent with.

Here’s an example of a post request:

fetch('http://yourdomain.com/api/account/login?username=theUsername&password=thePassword', {
    method: 'POST',
    credentials: 'include'
}).then...

.Net Client

To create a .Net Client you’d use HttpClient.

HttpClient will take care of storing the cookie when a response sends it and it will send it for your when you perform a request. You just need to keep the HttpClient instance after you log in, which is the recommended way of doing it anyway.

Here’s how you could login and then perform an authenticated request:

var client = new HttpClient();
var loginResponse = await client.PostAsync("http://yourdomain.com/api/account/login?username=theUsername&password=thePassword", null);
if (!loginResponse.IsSuccessStatusCode){
    //handle unsuccessful login
}                        

var response = await client.GetAsync("http://yourdomain.com/api/anEndpointThatRequiresASignedInUser/");

One thing you might want to do is to save the authentication cookie and restore it later.

Imagine a scenario where your user closes your application and you want to support the user being able to return later an not having to log in.

It is possible to do this with HttpClient, but you need to initialize it a little differently:

CookieContainer cookieContainer = new CookieContainer();
HttpClientHandler handler = new HttpClientHandler
{
    CookieContainer = cookieContainer
};
handler.CookieContainer = cookieContainer;
var client = new HttpClient(handler);

var loginResponse = await client.PostAsync("http://yourdomain.com/api/account/login?username=theUsername&password=thePassword", null);
if (!loginResponse.IsSuccessStatusCode){
    //handle unsuccessful login
}

var authCookie = cookieContainer.GetCookies(new Uri("http://yourdomain.com")).Cast<Cookie>().Single(cookie => cookie.Name == "auth_cookie");

//Save authCookie.ToString() somewhere
//authCookie.ToString() -> auth_cookie=CfDJ8J0_eoL4pK5Hq8bJZ8e1XIXFsDk7xDzvER3g70....

To restore a cookie after creating the CookieContainer you can call the SetCookies method on it:

cookieContainer.SetCookies(new Uri("http://yourdomain.com"), "auth_cookie=CfDJ8J0_eoL4pK5Hq8bJZ8e1XIXFsDk7xDzvER3g70...");

Conclusion

Event though this is a long post, setting up cookies in you Web Api is not that hard. You just need to keep a few things in mind.

Namely, you need to make sure that your cookie is not being generated with a samesite attribute. To do this you should check the Set-Header header that comes in the login response.

Do this using Firefox instead of Chrome’s developer tools. Chrome (at least the version I’m running 67.0.3396.99) does not display the Set-Cookie header if it’s for a different domain than the one from where the request was performed.

The next thing you have to make sure is that you’ve configured CORS correctly. Of particular importance is making sure you have AllowsCredentials in your CORS policy.

Finally, if you are running a web client, make sure you have the withCredentials flag set to true on every request or credentials: 'include' for the Fetch Api.

 

Don’t just turn off the cache

by 2 Comments

If you’ve ever had to deal with ajax GET requests in Internet Explorer you will undoubtedly found out that IE will cache responses that have content-type: “application/json”.

As you probably do most of your development using another browser which does not have this behavior (and who can blame you, IE’s developer tools are not great) you might forget about this “feature” of IE.

When time comes to test in IE and this becomes a problem, usually the knee jerk reaction is just to turn off the cache entirely. I’ve seen people doing this using jQuery and Angular, but I bet it’s common with whatever alternative technology you use.

turn-off cache

I must confess, I’ve done this myself, more than once. And worst, I’ve added used request headers like:

If-Modified-Since: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache
Pragma: no-cache

Without having a clue of what Pragma or Cache-Control are. That’s never a good idea.

I’ve taken the example above directly from the top voted answer in Stack Overflow “Angular IE Caching issue for $http”. It has loads of up-votes, 302 as I write this.

What’s really funny about that answer is that those headers don’t make much sense the way they are (they will work though). But let’s look at each individually.

If-Modified-Since when used in a GET or HEAD request makes that request “conditional” (that’s the term used in the documentation). For this header to work the web server must be configured to handle it. The web server responds to a request with this header either with a 304 Not Modified or 200 response code. To be able to do this correctly the server must be able to determine if the response has changed. There’s no way for the server to know that a response that was dynamically generated has changed. Unless you are serving static files this won’t work.

Cache-Control when set with no-cache means:

The “no-cache” request directive indicates that a cache MUST NOT use a stored response to satisfy the request without successful validation on the origin server. (emphasis mine)

This is from RFC7234 (RFC about caching in HTTP/1.1). How is the validation performed in the origin server then?

One way is the server responding to a GET request with a response that contains an ETag header. You can think of that ETag as a hash of the content. If the content changes the ETag changes.

When the browser requests the same resource it will include the previous ETag value. The server can then use this to verify if the content that the browser has is still up to date (this is what is meant by successful validation on the origin server in the RFC). If the content is still up to date the server responds with a 304 Not Modified and the browser uses the cached version of the resource.

None of this happens automatically, especially for a response that is dynamically generated.

Finally, the Pragma: no-cache header is from HTTP 1.0. It was retained in HTTP 1.1 for backwards compatibility. It instructs proxies not to cache the request.

So why does adding these headers work? At some point in time IE and Firefox decided that Cache-Control: no-cache should just mean do not cache, and that was it. That header now behaves the way someone who did not read the full RFC would expect it to behave. Actually it behaves like Cache-Control: no-store which actually means “a cache MUST NOT store any part of either this request or any response to it”.

If I were to do this today I’d use only that header and it should be fine:

Cache-Control: no-store

Well, I’d use it only in the requests that I really wouldn’t want cached. What I wouldn’t do is set it globally, for example in Angular by using the $httpProvider to have the header added to every get request automatically (like in the StackOverflow answer mentioned in the beginning of the post). Or by doing something like $.ajaxSetup(cache: false) in jQuery.

The reason for that is you will disable situations where you’d want your responses to be cached. A very common example is your angular templates. They are just static .html files, and if you disable caching globally you will make the browser fetch the templates every time.

This is just an example of why it’s not a good idea to use stuff off the internet without understanding it. Although, in this particular case it’s easy to understand why it would happen. The RFC about caching is almost 50 pages long and extremely hard to digest.

Principle of reasonable expectations

by 1 Comment

Man on Computer feeling that the principle of reasonable expectations was violated

The area of design has a very elegant principle named The principle of least astonishment. Sometimes it is also referred to as The principle of least surprise. It means that you should not do something that surprises the user, such as having a close button opening a new page, a trick that many spammy websites use.

This principle is very important in design because it helps guide the creation process. It guarantees that the design that is produced is easier for the user to use.

A great thing about this principle is that it is very easy to understand and we immediately can relate to situations where we felt it was violated.

There are principles in the area of software whose goal is also to guide the final product into a state where it has some desired properties, usually that it is easy to read and that it can easily withstand change.

Unfortunately software is more abstract than design. It is  harder to visualise. Its principles are frequently misunderstood, and people tend to learn them from word of mouth. For example, the SOLID principles. Would you say most developers you know have read the original papers where they were introduced?

I, for example, have seen the single responsibility principle being invoked for the most bizarre things. One of the ones I’ve heard most often is for justifying putting everything that is remotely related in a single class, almost the opposite of what the principle means.

Maybe we need simpler principles.

Not that we don’t need the ones we already have, but maybe we can look at other areas and adapt their principles to software, especially the ones that we can visualize and relate to. These might be especially useful for novice programmers because they are easy to understand.

The principle of least surprise is one of them surely, and often people already use it in the context of software design.

Another principle that might be useful (and this one as far as I know hasn’t been used in software) is the principle of reasonable expectations.

It is a legal principle in that a contract should be interpreted as how a reasonable person (who is not trained in the law) would interpret it. It favours the objectively reasonable expectations of the weaker party (the reasonable person) even when the language of the contract does not explicitly supports them.

This principle emphasizes the “consumer” of the contract, in software we could draw a parallel with the person who has to maintain or use the code. And this person is not necessarily a different person than who wrote it. Given enough time, even the code that we wrote becomes as alien as anybody else’s.

The principle says that we should not violate reasonable expectations. Here are some examples:

In older versions of jQuery UI (1.8 for example) if you would check if a dialog was open, and it wasn’t, the method would return the DOM object that was queried instead of false, i.e.:

var isOpen = $('#theDialogContainer').dialog("isOpen");
if (!isOpen) //isOpen is a DOM object
    $('#theDialogContainer').dialog();

If this was the click handler for a button, it would never open the dialog because of how JavaScript evaluates conditions. It uses falsy and truthy values, and a DOM object is a “truthy” value.

One could almost argue that the concept of falsy and truthy values is a violation of the principle of reasonable expectations, however, because it is common knowledge for JavaScript developers it falls into a grey area. Nevertheless, no one would lose if the snippet above was rewritten this way:

var isOpen = $('#theDialogContainer').dialog("isOpen");
if (isOpen === false) {
    $('#theDialogContainer').dialog();

Other examples include things that the method does that it is not reasonable for someone to expect, for example, imagine you are using an API to control grids of elements (imagine a webpage with a dynamic grid/table of results). If this function is called: grid.select(element);, the row that contains the element gets highlighted and the page scrolls to it. The second part, the page scrolling to the row, is not something that a consumer of the API would expect just by reading the method name.

Let me just give you an example of how this can become problematic.

Say that you want to implement filtering. Every time the user filters the results, the previously selected element can be filtered out. If this happens you want the first element of the grid to become selected. It would be more than reasonable to use the select function to achieve this.

Up to this point, even after adding filtering it is unlikely that anyone using the select function would notice that it not only highlights the row where the element is at, it also causes the page to scroll to that element. This is because the filters are on top of the page, when they are used the first element is also visible, so the scroll function has no visible effect.

Time passes and a new requirement arrives for having keyboard shortcuts for commonly used filters. Now the user can cause the results to be filtered anywhere from the page. If the user scrolls to the bottom of the page and uses the shortcut to filter the results, the page sometimes (when the selected element is filtered out) jumps to the top.

The person tasked with resolving this bug will likely look for it first in the code that handles the keyboard shortcut that triggers the filtering. When that fails, it is also likely that eventually when the code that handles the filtering gets looked at, the select(element) method is not considered to be the culprit. This is because it is not reasonable to expect (unless the person solving the bug is familiar with the implementation) that selecting a element causes the page to scroll to the row that contains that element.

This problem could be solved by separating the function into two other functions and name them in a way that what they do is clear, for example, grid.highlight(element) and grid.scrollTo(element).

This example nicely illustrates why I think this principle has a place even though it may seem similar to the principle of least astonishment. It is easy to imagine whoever wrote the grid.select function to argue that it is not a surprise for the page to scroll to the row that contains the element when that element is selected. However, it is not reasonable to assume that someone who is not familiar with the implementation of the select method to expect it to have that behaviour.

Another useful thing that this principle surfaces is that if something provides no reasonable expectations, then it is a violation of the principle. Consequently, naming functions as for example handleTriggerFailed will violate the principle since there is not much that the reader of the code can infer from that method name. Other examples that apply to class names: AbstractService, SomethingManager, SomethingHelper, etc.

The principle of reasonable expectation puts the focus on the interpretation that the reader of the code is likely to have. It underlines the fact that the code’s main target audience is first the people and then the compiler. If that wasn’t the case we would all still be writing assembly.

7 tips to find code faster in a web application

by Leave a Comment

It’s difficult to locate where a certain functionality is implemented in a code base that is unfamiliar to us, and even if you are familiar with the code base, when a project grows in size (imagine 3+ years), it inevitably becomes harder to manage. Locating code takes more time, and it stops being obvious where a certain piece of functionality is implemented.

In this blog post I’ll share with you a set of tips and tricks to help you go from web page, to JavaScript code, to server side code that is responsible for rendering that page.

For the server side I’ll focus on ASP.NET MVC, which is my cup of tea. If you use any other framework I still believe they’re applicable, and if you know how to realise them in your framework of choice please feel free to chime in the comments.

Tip 1. Starting point: The Url

The Url gives a lot of information, and it is a good starting point. For example, if your web app is build using ASP.NET MVC you could take from a Url like this: http://blinkingcaret.com/Account/Login that the code that renders the page is in a Controller named AccountController, and an action (method) named Login.

The default view name in this scenario would be Login.cshtml, the same name as the action method, however this can be overridden, and the view name and it’s location can actually be arbitrary.

Speaking of defaults, even though the default behaviour in this scenario is that the controller and action name are Account and Login, respectively, this can also be overridden. MVC frameworks use the concept of a router, which is a component responsible extracting from the Url which controller and action to invoke. It is possible to specify a route other than the default one (and that route can be “Account/”) and specify an arbitrary default controller.

So, even though the Url is a good starting point, most frameworks provide mechanisms to override the default behaviour of how a Url is ultimately translated into the code that renders the view. Tip 7 provides an alternative that, at least for ASP.NET MVC, will give you the right controller and view every time (it might still be applicable to other frameworks if they have similar extensibility points).

Tip 2: Chrome developer tool’s inspector (Elements tab) for HTML/CSS

Chrome developer tools offer excellent help in finding code. They are accessible by pressing F12 (or Control+Shift+I for those used to use Firefox’s Firebug).

One straightforward way to take advantage of the dev tools to find where the code that generates the markup is located is to just inspect an element, find the snippet of markup you are interested in and then use Find in Files functionality of the IDE. I wouldn’t recommend this approach too often though. On big projects the search tends to take a reasonable amount of time, and we all know that more than 5 seconds is enough to create the temptation to open a new tab and go read random stuff on the internet. Again, tip 7, where applicable, is a better alternative.

Tip 3: Markup injected in the page via Ajax

This tip is for when there is content being injected in the page via Ajax, and you want to quickly find where is the JavaScript code responsible for it.

You can set chrome dev tools to break on “Sub tree modifications”. If you do this Chrome will break every time anything gets added or removed from the DOM and then you can follow the callstack until you find the code responsible for injecting the html in the page.

Break on subtree

Tip 4: Plain JavaScript events

It is often the case that we need to find what JavaScript is running in response to a user’s action, for example, the click of a button, or a change in a dropdown.

If the event was registered using plain JavaScript (i.e. not with jQuery), chrome dev tools has a tab, named Event Listeners, that list all the event handlers registered for the element that is selected.

PlainJs

When you are using jQuery to register events, these won’t show up in the Event Listeners tab though. It is jQuery itself that handles these events. That leads us to:

Tip 5: jQuery events

If an event was registered using jQuery and we want to check which code is running in response to it we’ll have to use jQuery’s api.

The data regarding which events are registered for which element is accessible by using the $._data method. For example, if you want to check which jQuery events are registered in the element with id="myElement" you could write this in the console:

$._data($('#myElement').get(0), "events")

Or just take advantage of the fact that in chrome dev tools the element you select in the elements tab is accessible in the console by writing $0.

jquery events

Every time you get chrome to show you a function handler in the console you can right click on it and select Show function definition and that will take you to the code that runs in. The code will open in a new tab with the same name as the file name that contains the code. You can even add breakpoints and step through the JavaScript code if required.

In jQuery there’s the notion of delegated events, where you define an event handler in a parent element and you specify a selector for the child elements. When an event is raised on a child element that matches the selector on the parent, the event handler runs, for example:

$('div#container').on("click", ":button", function(e) { console.log(e.target.id + " was clicked");});

This event handler will run every time a button is clicked inside div with id=”container”. This is very useful if the contents of the div are injected via ajax. You don’t have to register handlers for the elements inside the div this way. This has the disadvantage of making finding those handlers hard.

I’ve made a tool named findHandlersJs that will find all the jQuery event handlers that run in an element, it’s syntax is very simple findEventHandler(eventName, element(s)), for example:

findEventHandlers("click", "div#container :button")

or if you have the element selected in the Elements tab in chrome, you can simply write:

findEventHandlers("click", $0)

It returns information about not only any event handler registered in the buttons inside div with id=”container” but also any delegated event handlers that run in response to a click in that button(s).

findEventHandlersJs example

Tip 6: Client side frameworks (KnockoutJS and AngularJS)

It is possible to access a lot of information from the console even if you are using client-side frameworks such as angular or knockout to generate your client side markup.

The examples here are only for Angular and Knockout because these are the ones that I’m more familiar with, I’m sure there are equivalent methods of getting to this information with other frameworks. If you have some tips for other frameworks, feel free to share in the comments.

For KnockoutJS it is possible to get to the ViewModel, and from there you have access to the functions that run in response to the user’s actions. For example if you want to debug the code that runs in response to the user clicking a button:

knockout example

You can use the ko.dataFor(domElement) to get the ViewModel that was used. In the ViewModel you can not only access the observables, but also all the functions that are invoked in response to users’ actions. Alternatively, you can use ko.contextFor to access the specific binding context of the element.

For AngularJS, it is similar, you use the angular.element(domElement).scope() to access the angular scope for the element. From the scope you can then go to the functions that are invoked in response to the user’s actions.

angular scope

Tip 7: Leverage the extensibility points of the Framework that you are using to inject debug information when rendering the pages

Even though this example is for ASP.NET MVC, this should be applicable to any framework that has similar extensibility points.

ASP.NET MVC renders the views through a view engine, and the framework has extensibility points for new view engines to be added, in fact, out of the box it comes with two view engines, one for WebForms (.aspx) and another for Razor views (.cshtml).

I’m going to show you how you can create your own version of the Razor View Engine that adds extra debug information as html comments to the pages that are rendered.

Comments are a better solution, than say for example, wrapping a partial view inside a div with attributes because doing so could potentially interfere with css rules. Html comments are innocuous, and are rendered in a different colour in chrome dev tools which makes them easy to spot.

First you’ll have to create a new view engine class, for example RazorDebugViewEngine, that inherits from RazorViewEngine.

Next override the method that creates the (full) views (CreateView) or the one that creates partial views (CreatePartialView), or both.

We’ll override both in this example and will provide different comments for each.

Usually RazorViewEngine returns an instance of RazorView from the Create methods. We’ll provide our own RazorDebugView that we will define shortly:

public class RazorDebugViewEngine : RazorViewEngine
{
    protected override IView CreateView(ControllerContext controllerContext, string viewPath, string masterPath)
    {
        return new RazorDebugView(controllerContext, viewPath,
                     layoutPath: masterPath, runViewStartPages: true, viewStartFileExtensions: FileExtensions, viewPageActivator: ViewPageActivator);
    }

    protected override IView CreatePartialView(ControllerContext controllerContext, string partialPath)
    {
        return new RazorDebugView(controllerContext, partialPath,
                            layoutPath: null, runViewStartPages: false, viewStartFileExtensions: FileExtensions, viewPageActivator: ViewPageActivator)
        {
            IsPartialView = true
        };
    }        
}

I had to check the source code for MVC to figure out how the RazorViews were being created, it’s really great that this is open source :).

The IView interface (that RazorView implements) defines the contract for the Render method (void Render(ViewContext viewContext, TextWriter writer);) which is what ultimately renders the view. We are going to hijack that process by having the view render to a StringWriter instead so that we can access the generated html as a string.

We’ll add extra information, available from the ViewContext, to the html that was generated. Then we let the process progress as it would have otherwise by writing the generate content plus the debug information to the original TextWriter.

We’ve also added a property named IsPartialView to our RazorDebugView so that we can easily distinguish from a partial or full view.

Here’s how that looks like:

public class RazorDebugView : RazorView
{
    public bool IsPartialView { get; set; }

    public RazorDebugView(ControllerContext controllerContext, string viewPath, string layoutPath, bool runViewStartPages, IEnumerable<string> viewStartFileExtensions) 
        : base(controllerContext, viewPath, layoutPath, runViewStartPages, viewStartFileExtensions)
    {
    }

    public RazorDebugView(ControllerContext controllerContext, string viewPath, string layoutPath, bool runViewStartPages, IEnumerable<string> viewStartFileExtensions, IViewPageActivator viewPageActivator) 
        : base(controllerContext, viewPath, layoutPath, runViewStartPages, viewStartFileExtensions, viewPageActivator)
    {
    }

    public override void Render(ViewContext viewContext, TextWriter writer)
    {
        StringWriter stringWriter = new StringWriter();
        base.Render(viewContext, stringWriter);
        var renderedHtml = stringWriter.GetStringBuilder().ToString();


        string startDebugInfo;
        string endDebugInfo;
        if (IsPartialView) {
            var debugText = string.Empty;
            if (viewContext.IsChildAction)
                debugText = string.Format("ChildAction: controllerName: {0}, actionName: {1}, viewPath: {2}", viewContext.Controller.GetType(), viewContext.RouteData.Values["action"], ViewPath);
            else
                debugText = string.Format("viewPath: {0}", ViewPath);

            startDebugInfo = string.Format("\n<!-- BeginPartialView {0}  -->\n", debugText);
            endDebugInfo = "\n<!-- EndPartialView -->\n";
        }
        else
        {                
            startDebugInfo = string.Format("\n<!-- BeginView controllerName: {0}, actionName: {1}, viewPath: {2} -->\n", viewContext.Controller.GetType(), viewContext.RouteData.Values["action"],ViewPath);
            endDebugInfo = "\n<!-- EndView -->\n";
        }

        writer.Write(startDebugInfo + renderedHtml + endDebugInfo);
    }       
}

To use this new ViewEngine we have to add it. The best place to do it is in Global.asax. You can use the #if compiler directive so that you only use this view engine in debug mode. That would look like this:

public class MvcApplication : System.Web.HttpApplication
{
    protected void Application_Start()
    {
      //...

    #if DEBUG
        ViewEngines.Engines.Clear();
        ViewEngines.Engines.Add(new RazorDebugViewEngine());
    #endif
    }
}

Here’s a page using this new view engine would look like in chrome dev tools:

CustomViewEngine

That’s it. Hope these tips are useful. If you have more please share in the comments.

How to manually use the ASP.NET MVC’s client side validation infrastructure

by 2 Comments

ASP.NET MVC client side validation is based on the jQuery validation plugin. It can be said that MVC’s client-side validation is an opinionated version of how jQuery validation should work in an ASP.NET MVC project. Despite this, the underlying implementation is fully based on jQuery’s. In this blog post I’ll show you how you can take advantage of this.

Client side validation tick

ASP.NET MVC Client Side validation requirements

First, here’s the list of things you need to do to enable client-side validation in an ASP.NET MVC project Make sure your client side code is loading both:

  • jquery.validate.js
  • jquery.validate.unobtrusive.js

Make sure your web.config has the following keys in appSettings with the follwoing values:

  <appSettings>
    ...
    <add key="ClientValidationEnabled" value="true" />
    <add key="UnobtrusiveJavaScriptEnabled" value="true" />
  </appSettings>

These settings can be overridden in a controller, make sure that is not happening. For example this would turn off client side validation if executed inside a controller’s action:

public ActionResult Index()
{
    HtmlHelper.ClientValidationEnabled = false;    
    return View();
}

The next requirement is that you use attributes from System.ComponentModel.DataAnnotations in the Model class that is used in view where you want client-side validation enabled.

For example, if we want the Email field to be a valid email, and make the password and email fields required we would create a model like this:

using System.ComponentModel.DataAnnotations; 

public class LoginViewModel
{
    [Required]        
    [EmailAddress]
    public string Email { get; set; }

    [Required]                
    public string Password { get; set; }            
}

Finally, we have to use the HtmlHelpers that generate the correct markup for all of this to work, and they have to be inside a form, for example

@model LoginViewModel

<form>
    @Html.LabelFor(m => m.Email)
    @Html.TextBoxFor(m => m.Email)
    @Html.ValidationMessageFor(m => m.Email)

    @Html.LabelFor(m => m.Password)
    @Html.PasswordFor(m => m.Password)
    @Html.ValidationMessageFor(m => m.Password)
</form>

Getting away with using Client Side validation without a model

The last two requirements are actually optional. It is possible to take advantage of client side validation without having to create a model class and annotate it, which can be useful if you only use a couple of parameters (such as in the Login example).

If you inspect the markup that the helpers generate you’ll see that it’s actually pretty simple:

<input type="text" name="email" data-val="true" data-val-required="The email is required"/>
<span class="field-validation-valid" data-valmsg-for="email" data-valmsg-replace="true"></span>

It turns out that to enable client side validation without using the HtmlHelpers and a model you just have to add an input with data-val="true" and then data-val- followed by validation method that you want to apply (e.g. data-val-required), the value of which will be the error message presented to the user (e.g. data-val-required="This is the error message"). This works because the MVC’s “unobtrusive validation” works by looking for inputs that are annotated with data-val attributes.

The data-valmsg-for‘s value is the name (not the id) of the input it refers to, and data-valmsg-replace="true" just means that the default message should be replaced, for example you could have a default message for the email field:

<span class="field-validation-valid" data-valmsg-for="email" data-valmsg-replace="true">The email must be unique</span>

This message would then be replaced by any validation error that occurs in the email field, for example “The email is required”. If data-valmsg-replace="false" then the original message will never be replaced. The only consequence of an error is that the span’s class is changed from field-validation-valid to field-validation-error (this happens irrespectively of the value of data-valmsg-replace="false").

Some validation methods have parameters, for example RegularExpression. The way these work is very similar, they just need additional data-val- for their parameters. If you want to validate a text field using a regular expression for 5 to 8 digits, it would look like this:

<input type="text" name="number" id="number" data-val="true" data-val-regex="Valid input is 5 to 8 digits" data-val-regex-pattern="^\d{5,8}$"/>

If you create the markup yourself you can get away without having to create a model for your view. Using the login example from above, your controller action for handling the user logging in could simply be:

    public ActionResult Login(string email, string password)
    {           
        ...
    }

You’d have to make any server-side checks on the parameters yourself though.

Here is the list of the System.ComponentModel.DataAnnotation attributes you can use, and their data-val counterparts:

  • Compare
    • data-val-equalto="Error message"
    • data-val-equalto-other="The name of the other field"
  • CreditCard
    • data-val-creditcard="Error message"
  • EmailAddress
    • data-val-email="Error message"
  • MaxLength
    • data-val-maxlength="Error message"
    • data-val-maxlength-max="Maximum length (e.g. 5)"
  • MinLength
    • data-val-minlength="Error message"
    • data-val-minlength-min="Minimum length (e.g. 2)"
  • Range
    • data-val-range="Error message"
    • data-val-range-max="Max value"
    • data-val-range-min="Min value"
  • RegularExpression
    • data-val-regex="Error message"
    • data-val-regex-pattern="The regular expression (e.g. ^[a-z]+$)"
  • Required
    • data-val-required="Error message"
  • StringLength
    • data-val-length="Error message"
    • data-val-length-max="Maximum number of characters"

There are also a few validation methods you can use that don’t seem to have a counterpart in System.ComponentModel.DataAnnotation. In fact you get a list of all the available client side validation methods by typing (for example in chrome) dev tools console: $.validator.unobtrusive.adapters. Here’s the list of the ones that don’t have a matching attribute: date, digits, number, url, length, remote, password.

Handle the keyboard like a Pro with easykeyjs

by 3 Comments

After being asked once again to add some keyboard shortcuts to a web application, and being tired of doing things like:

$(document).keydown(function(e){
    if (e.which == 13) //enter
    reloadResults();
   else if (e.which == 37) //left arrow
    previousPage();
   else if (e.which == 39) //right page
    nextPage();
});

I decided it would be nice if I could write instead something like this:

$(document)
    .onEnterKeyDown(reloadResults)
    .onLeftArrowKeyDown(previousPage)
    .onRightArrowKeyDown(nextPage);

I looked around, and although there are plenty of libraries to handle keyboard input, none had a syntax like this. Because of this I created easykeyjs.

easykeyjs

Here are a few examples of how to use it:

Register an event handler for when F11 is pressed on an element with id="myInput" while preventing the browser from going to full screen mode:

$('#myInput').onF11KeyDown(function(e) {
    //do something in response to F11 being pressed
    e.preventDefault(); //prevent the browser from going full screen
    //e.stopPropagation(); //prevent the event from bubbling up, if you want to do both, just return false;
});

Register an event handler for pressing “Control + s”:

$(document).onSKeyDown(save, $.easyKey.options.withControlPressed);

Register an event handler for releasing “Control + s”:

$(document).onSKeyUp(printSaved, $.easyKey.options.withControlPressed);

Register an event handler for “Control + Alt + Shift + a”:

$(document).onAKeyDown(selectAll, 
        $.easyKey.options.withControlPressed 
        | $.easyKey.options.withAltPressed 
        | $.easyKey.options.withShiftPressed);

Register an event handler for i that runs both on key down and then on key up:

$(document).onKey($.easyKey.keyCodes.i,
            function(e) { $('#myInput').toggleClass("highlight"); }, 
            $.easyKey.options.onKeyDown | $.easyKey.options.onKeyUp);

To run this you need jQuery (any recent version should be fine, jQuery 1.4+).

Go download easykeyjs from here.

The github repo is here.

Promises vs Callbacks

by Leave a Comment

A few months ago I answered a question on StackOverflow that got a lot of attention, especially after I’ve submitted it to Hacker News. The question was “Why are callbacks more tightly coupled than promises?”. I did not ask that question, but the current highest voted answer is mine, however as you can read from the comments on hacker news, there’s a bit of criticism, and some of it justified.

I’ve been meaning to write this post for a while. It describes

  • What is a promise
  • What problems do promises solve
  • What can you do with promises that you can’t with callbacks

It addresses some of the criticisms I got from the hacker news’ comments, and since it’s way too long for stackoverflow I’ve decided to put it here.

I won’t argue that using promises is superior to using callbacks, I’ll leave that to your judgement. So here we go, what is a promise?

Promises are objects which represent the pending result of an asynchronous operation
Martin Fowler (source)

They are also know as deferreds or futures.

The important thing here is that promises are objects, you can hold on to a reference to them, return them in functions and pass them as arguments to other functions, basically anything you can do with an object.

More importantly, you can combine them and create new promises from old ones (more on that shortly). But first let’s compare signaling the completion of an asynchronous method with a callback and with a promise.

Promise vs Callback

//The $.ajax returns a promise. You can either use it or supply a callback function for complete and/or error
var performAjaxRequest = function(onDoneCallback){
    return $.ajax(someUrl, {
        complete: onDoneCallback
    });
};

var performRequestUsingCallback = function(){
    performAjaxRequest(function(){ alert('Complete callback');});
};

var performRequestUsingPromise = function(){
    var performingRequest = performAjaxRequest();
    performingRequest.done(function(){
        alert('Promise done');
    });
};

I’ve added the performAjaxRequest function so it would match this example in jsFiddle using a fake ajax request.

Before I delve into the details of this example, let me first highlight a point that might be confusing. In jQuery there is the concept of Promise and Deferred, and they are not exactly the same thing (if you look at the jsfiddle example, you’ll see a deferred being created). They both represent an asynchronous operation, however a Deferred exposes methods to signal its completion (.resolve) or its failure (.reject). A promise is exactly the same thing without those methods. You can get hold of a promise by calling deferred.promise().

Things to note in this example:

  • You can call .done on a promise, the callback you supply will run after the asynchronous operation that the promise represents finishes (here’s the doc page for .done). This is implemented by calling .resolve or .resolveWith on the jQuery Deferred object.

When .resolve is called on a deferred it is possible to supply parameters, for example deferred.resolve(42). This will trigger a call on .done with the value 42, i.e., .done(function(x){ //x is 42}). For example, in $.ajax the deferred is resolved with (data, textStatus, jqXHR).

You can also call .fail, .always and .then on a promise:

  • .fail is called when the .reject method is called on the deferred object that represents the promise.
  • .always is called when .reject or .resolve are called in the deferred object
  • .then is special. It can do two things (and this is not clear in the jQuery documentation and depends on the version of jQuery), but the important thing to be aware is that .then always returns a new promise. The examples later in the post will make this clear.

This last example is not terribly interesting, however notice that when using promises the handling of the completion of the operation can be specified after the invocation of the asynchronous operation, for example:

showLoadingScreen();
var loadingData = loadData().done(refreshDataOnScreen, updateCounters)
                            .fail(logError, displayErrorMessage)
                            .always(hideLoadingScreen);

loadingData.done(doSomethingWithTheData);

NOTE: gettingData.done(doSomethingWithTheData); is shorthand for gettingData.done(function(data){doSomethingWithTheData(data);});.

The major difference between using a callback and a promise that this example highlights is that with the callback you only have one opportunity to provide the function that runs on completion (or error), whereas with a promise you can add several functions at different points in your code.

NOTE: when done, fail and always are supplied more than one function, those functions are executed in the order they are supplied (also, promise.done(fn1, fn2) is the same as promise.done(fn1).done(fn2)).

Another thing that you can do with promises that is enabled by them being objects is to create promises from promises. For example:

$.when(loadDataFromSourceA, loadDataFromSourceB).done(refresh);

$.when returns a new promise that is “resolved” when all its promises are resolved, and is “rejected” as soon as one of its promises is rejected (in the example when’s promises are loadDataFromSourceA and loadDatafromSourceB).

Although done, fail and always return promises, when is the first example where a new promise is returned, another example is .then.

.Then

.then is described in the documentation as a way to filter the result of a promise, for example:

var newPromiseCreatedWithThen = loadData().then(function(data) { return data.length});
newPromiseCreatedWithThen.done(function(dataLength) { 
    //dataLength is the length of data in the original promise 
};);

However, that’s not its most useful feature. You can return a new promise from from the callback you supply to.then. If you do that, it won’t act as a “filter”. It will act as a way of chaining asynchronous calls, i.e.:

loadDataFromA().done(refreshDataFromA)
               .then(function(dataFromA){ return loadDataFromB(dataFromA) })
               .done(refreshDataFromB);

The refreshDataFromA function will run as soon as loadDataFromA finishes. The call to loadDataFromB will start after loadDataFromA finishes, and refreshDataFromB will run at the end, after loadDataFromB finishes. This is useful in scenarios where you need the result of an asynchronous operation in order to perform the next asynchronous operation. When used this way the function name (.then) actually makes sense (here’s an example that compares .done and .then and shows that returning a promise from .then is given “special” treatment).

This behavior is actually described in the documentation for .then:

These filter functions can return a new value to be passed along to the promise’s .done() or .fail() callbacks, or they can return another observable object (Deferred, Promise, etc) which will pass its resolved / rejected status and values to the promise’s callbacks

However, as you can see, it’s very easy to miss (and in my opinion, not very clear).

A last note about .then. It might be tempting to say that it provides a solution to “callback hell”, for example:

$.ajax("loadDataUrl", {
    complete: function() {
        $.ajax("loadMoreData", {
            complete: function() {
            ....

Although it is true that if you use .then you won’t have nested callbacks, it is also true that there are ways of not rewriting this last example withough promises and nested callbacks. In fact, anything you can do with promises, you can do without.

Finding out where in a codebase a jQuery event is being registered and unregistered with the special events api

by Leave a Comment

jQuery allows you to define extra functionality around events, namely it is possible to define behavior that happens when the first event handler is registered (setup), each time a new event handler is added (add), removed (remove) and when the last event handler is removed (teardown).

This is how, for example, you take advantage of the special event’s api for the click event:

jQuery.event.special.click = {  
    setup: function(data, namespaces, handler) { },
    add: function(handlerObj) { },
    remove: function(handlerObj) { },
    teardown: function(namespaces) { },
    _default: function (event) { }
};

If you are wondering how the special events api is normally used, think of this scenario: you want all elements that have a click event handler registered in them to show a “hand” when the mouse hovers over them (this might be useful if you want to make a div clickable, which usually does not display any visual cues that let the user know that the div can be clicked). You also want this effect to go away as soon as the last event handler is unregistered.

You can achieve this without using the special events api by setting the cursor property when you register and unregister the click event:


    $('#myElement').css("cursor", "pointer"); 
    $('#myElement').on("click", function(){    
       //...
    };

The resetting of the cursor is more complicated, you’d have to keep track of the event handlers and remove it when you remove the last handler.

With special events it’s simple:

jQuery.event.special.click = {
    setup: function(){
        $(this).css("cursor", "pointer");
        return false; //this is important because click is a native event. It instructs 
                      //jQuery to use native DOM methods to register and unregister 
                      //the event (for custom events you don't need to return anything)  
    };
    teardown: function(){
        $(this).css("cursor", "");
        return false; //same as above
    };
};

Try it here

If you want to really understand the special events api, and really understand the example I suggest you read this

What does all this have to do with the title of this post? You can add debugger statements in any of the special event’s api methods, namely on add and remove so that you can find out (looking at the stack trace in chrome’s developer tools) where an event handler was registered and/or unregistered. This might be useful in large codebases that you are not familiar with, especially when someone decides to do something like $(someSelector).off() (which will deregister all events) and you are left wondering why your custom event isn’t firing.

The way to do it is to include the following snippet at the head of the page (after you include jQuery) you are analysing:

<head>
    <!-- after including jQuery -->
    <script>
        $.event.special.YourCustomEvent = {
            add: function() {debugger;},
            remove: function(){debugger;}
        };
    </script>

You can then, using chrome with the developer tools’ console open, navigate to the page and have the execution break every time a handler for YourCustomEvent is registered and unregistered.

Quickly finding and debugging jQuery event handlers with findHandlersJS

by 9 Comments

tl;dr: Finding event handlers registered using jQuery can be tricky. findHandlersJS makes finding them easy, all you need is the event type and a jQuery selector for the elements where the events might originate. Examples can be found here. A working page with findHandlersJS loaded and ready to try can be found here.

Events and event handling are an important part of client-side development. Frequently we are tasked with changing their behavior and part of that process involves locating which methods handle which events. Unfortunately sometimes they can be difficult to locate, especially when we are dealing with a code base that we are not familiar with.

In this blog post I’ll describe an alternative that hopefully makes finding event handlers easier, in particular, event handlers registered using jQuery.

But first let’s look at how we can register an event handler using javascript.

Registering events and event bubbling with plain javascript

You can add event handlers in javascript using the addEventListnerMethod:

Html


<input type="button" id="myButton" value="Click me"/>
<span id="myLabel"></span>

Javascript

document.getElementById('myButton').addEventListener("click", function(event){
  //this is the event handler for the click event in myButton
  document.getElementById('myLabel').innerText=event.target.id + " was clicked";
});

Check it out here

One important thing to be aware about events is that they bubble. What this means is that every element in the hierarchy until the root element of the html will have a chance to handle the event.

Imagine this is describes your html page:

document
  div
    p
      button

You can register an event handler on the button, in the paragraph that contains the button, the div that contains the paragraph or the document itself. They will all “see” the event. This is the reason why it is sometimes difficult to find where the particular event we are interested in is being handled. The next example exhibits the same behaviour as the first:

Html


<input type="button" id="myButton" value="Click me"/>
<span id="myLabel"></span>

Javascript

document.addEventListener("click", function(event){
  //this is the event handler for the click event that will be used if you click any element in the page
  document.getElementById('myLabel').innerText=event.target.id + " was clicked";
});

Try it here

Although this seems to produce the same end result, if you would go look for the event handler in the button itself, you would not find it.

Why would you use this technique then? This technique is popular when parts of the web page are injected via ajax calls. The document object is part of the page’s header object so you can always rely on document being available (which is handy if part of the webpage is going to be fetched sometime in the future), and register your event handlers there.

Registering direct and delegated events using jQuery

With jQuery, event handlers are registered using the .on keyword.

jQuery makes the distinction between event handlers that only handle events triggered in the element they were registered on (direct events handlers) and event handlers that handle events that were triggered in a subset of the children of the element they were registered in (delegate event handlers). The subset of the children is specified through a jQuery selector.

Here’s an example of a direct event handler that handles clicks in a button:

Html


<input type="button" id="myButton" value="Click me"/>
<span id="myLabel"></span>

Javascript

$(function () {
  $('#myButton').on("click", function (event) {
    $('#myLabel').text(event.target.id + " was clicked");
  });
});

Try it here

Here’s an example of a delegate event handler that handles clicks in all buttons that exist now or that might be added in the future in the whole page:

Delegated events

Html


<input type="button" id="myButton" value="Click me"/>
<span id="myLabel"></span>

Javascript

$(function () {
  $(document).on("click", ":button", function (event) {
    $('#myLabel').text(event.target.id + " was clicked");
  });
});

Try it here

The best place to find out more about delegate and direct events is the .on documentation page.

Finding event handlers using Chrome dev tools

Browser dev tools help you find event handlers, for example in Chrome you can right click anywhere in the page, for example on a button, and select “Inspect Element”. The event handlers will be shown in the Event Listeners tab (right side of the elements tab).

Event Listeners tab on chrome

A very handy feature of the tooling is that you can right click the “handler” and select show function definition:

Show Function Definition on Chrome

You can then add breakpoints and debug the event handlers. However if you use events registered with jQuery, you will see jQuery’s event handler. This is because jQuery adds additional functionality to the normal event handlers. This is one of the complicating factors that makes finding the actual event handlers we are interested in more difficult.

If you use findHandlersJS instead you’ll get directly to the actual event handlers.

findHandlersJS (works best in chrome)

The idea is that by specifying an event type (e.g. “click”), and which elements you are interested in, using a jQuery selector, you get all the event handlers that are triggered when you click one of the elements that are covered by the selector you specified.

Here’s an example

Imagine you are working on this web page:

simple form with save and cancel buttons

And you want to debug the event handler for the Save button. After you include findHandlersJS you could write in chrome’s console:

findEventHandlers("click", ":button:contains('Save')")

That would provide you with the following information

save button information from findHandlersJS

  • element
    The actual element where the event handler was registered in
  • events
    Array with information about the jquery event handlers for the event type that we are interested in (e.g. click, change, etc)

    • handler
      Actual event handler method that you can see by right clicking it and selecting Show function definition
    • selector
      The selector provided for delegated events. It will be empty for direct events.
    • targets
      List with the elements that this event handler targets. For example, for a delegated event handler that is registered in the document object and targets all buttons in a page, this property will list all buttons in the page. You can hover them and see them highlighted in chrome.

You can then hoover over the element property and chrome will highlight the element where the event handler was registered:

highlight of element where the save event handler was registered

You can also hover over function on the handler property and select Show function definition. That will show you the source code for that event handler. You can add breakpoints and debug the event handler method.

click show function definition source code for save

More examples:

findEventHandlers(“click”, “div#itemList :button”) would return information about all the jquery event handlers (direct or delegated) that handle a click in the buttons inside a div with id “itemList”.

 

findEventHandlers(“click”, “*”) returns all click event handlers, including those registered on the document object

 

findEventHandlers(“change”, document) returns the change event handlers registered on the document object

 

findEventHandlers(“addNewItem”, “div#items :button:nth(3)”) all event handlers that handle the custom event addNewItem for the the fourth button inside the div with id=”items”

Try these examples here.

You can get findHandlersJS in github here. You can just copy and paste the raw javascript code to chrome’s console window and just start using it, or if you want to use it in your project just make sure you add it after jQuery (I’ve tested it in versions >= 1.7.1. Might also work with older versions).

Any comments/suggestions are welcomed.