Retrieve Correct id from Backend by using Authorization

JJ TT 141 Reputation points
2022-03-27T14:05:05.217+00:00

Goal:
End user retrieve correct and its own customerid without getting others customerid when it occur at the same time.
Everything take place at the backend.

Background:
Today, you get your token from backend and it will be sent to frontend. The token alreadly contain the customerid.

The same token is locaated at the method named GetAll() in the backend.

It is not only a single ActionResult that need to contain customerid as a parameter.

You are enable to retrieve the customerid at the backend without sending the customerid from frontend to backend with help of method named GetAll().

Problem:
When you have for instance 2 or more end user that will login at the same time. In the next step is to make a request call for the method named GetAll() in order to retrieve the customerid at the same time.
WIll the end user retrieve the correct customerid from backend?

Question:
How is the securit that this user A will retrieve correct customerid without retrieving customerid from user B?
Each user should retrieve the correct customerid from the method GetAll().

Thank you!


using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Mvc;
using Microsoft.IdentityModel.Tokens;
using System;
using System.Collections.Generic;
using System.IdentityModel.Tokens.Jwt;
using System.Linq;
using System.Security.Claims;
using System.Text;
using System.Threading.Tasks;

namespace WebApplication10.Controllers
{
    [AllowAnonymous]
    [ApiController]
    [Route("api/v1/[controller]")]
    public class AuthController : Controller
    {
        [HttpPost("AlphaClientLogin")]
        [AllowAnonymous]
        public ActionResult<ClientToken> AlphaClientLogin([FromBody] User user)
        {
            if (user.Username == "userAlpha" && user.Password == "123")
            {
                return AlphaTokenService.GenerateToken(user);
            }
            else
            {
                return Unauthorized(new { message = "Invalid Username or password" });
            }
        }
    }


    [Route("api/v1/[controller]")]
    [ApiController]
    [Authorize(AuthenticationSchemes = "AlphaClient")]
    public class TestController : Controller
    {
        /// <summary>
        /// https://localhost:38744/api/v1/Test/Test2
        /// </summary>
        /// <returns></returns>
        [HttpGet("Test2", Name = "Test2")]
        public async Task<ActionResult<Int32>> Test2(string customerid)
        {
            return 3;
        }

        [HttpGet]
        [Authorize]
        public IActionResult GetAll()
        {
            var user = User?.Identity?.Name;
            var id = User?.Claims.FirstOrDefault(c => c.Type == "customerid")?.Value;

            return Ok(new { username = user, customerid = id });
        }       
    }



    public class ClientToken
    {
        public string Token { get; set; }
        public DateTime DateExpiration { get; set; }
    }

public void ConfigureServices(IServiceCollection services)
{
    services.AddControllers();
    services.AddSwaggerGen(c =>
    {
        c.SwaggerDoc("v1", new OpenApiInfo { Title = "WebApplication10", Version = "v1" });
    });


    services.AddAuthentication().AddJwtBearer("AlphaClient", options => {
        options.TokenValidationParameters = new TokenValidationParameters()
        {
            IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes("myunlegiveblealphasecret")),
            ValidAudience = "AudienceClientAlpha",
            ValidIssuer = "IssuerClientAlpha",
            ValidateIssuerSigningKey = true,
            ValidateLifetime = true,
            ClockSkew = TimeSpan.Zero
        };
    });
}
ASP.NET Core
ASP.NET Core
A set of technologies in the .NET Framework for building web applications and XML web services.
3,756 questions
{count} votes