admin管理员组文章数量:1026939
I have an endpoint in my API like: api/users/{:userId}/...
I only want the user with userId to have access to his own endpoint and not to the endpoints of any other user.
I implemented a JWT Bearer token, which is used for authorization. I get the id from it and check if it matches the route the user wants to access:
[HttpGet("{userId:int}"), Authorize]
public async Task<ActionResult> GetUserById([FromRoute] int userId)
{
var id = int.Parse(User.FindFirstValue(ClaimTypes.NameIdentifier));
if (id != userId)
{
return BadRequest("Access denied.");
}
var user = await unitOfWork.UserRepository.GetUserByIdAsync(userId);
if (user == null)
return NotFound("User not found");
return Ok(user);
}
Now, I don't think this is the correct approach. The token can easily be tampered with and the id changed. How else could I do this?
I have an endpoint in my API like: api/users/{:userId}/...
I only want the user with userId to have access to his own endpoint and not to the endpoints of any other user.
I implemented a JWT Bearer token, which is used for authorization. I get the id from it and check if it matches the route the user wants to access:
[HttpGet("{userId:int}"), Authorize]
public async Task<ActionResult> GetUserById([FromRoute] int userId)
{
var id = int.Parse(User.FindFirstValue(ClaimTypes.NameIdentifier));
if (id != userId)
{
return BadRequest("Access denied.");
}
var user = await unitOfWork.UserRepository.GetUserByIdAsync(userId);
if (user == null)
return NotFound("User not found");
return Ok(user);
}
Now, I don't think this is the correct approach. The token can easily be tampered with and the id changed. How else could I do this?
本文标签: cDenying access to users on an ASPNET Core Web API endpointStack Overflow
版权声明:本文标题:c# - Denying access to users on an ASP.NET Core Web API endpoint - Stack Overflow 内容由热心网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://it.en369.cn/questions/1745651481a2161345.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。
发表评论