Authentication
Initial user authentication is handled through Google Auth. The reasons behind this decision are detailed here.
The Google Auth Workflow utilised is as follows:
Authentication for subsequent requests is handled through JWT. This is setup to utilise the UserId as the claim.
Ensure that the userId is never returned to the frontend for increased security.
Endpoints which do not require authentication should have the [AllowAnonymous] annotation added to the method. The userId claim can be resolved as follows:
ClaimsIdentity identity = HttpContext.User.Identity as ClaimsIdentity;
Claim claim = identity.FindFirst(ClaimTypes.NameIdentifier);
int? userId = claim == null ? null : (int?)int.Parse(claim.Value);
Endpoints which require authentication should have the [Authorize] annotation added the method. The userId claim can be resolved as follows:
ClaimsIdentity identity = HttpContext.User.Identity as ClaimsIdentity;
int userId = int.Parse(identity.FindFirst(ClaimTypes.NameIdentifier).Value);
The JWT token can be added to requests from the frontend as follows:
"Authorization": "Bearer <jwt-token>"
The createHeader method in header-util.js has been implemented to create the correct header structure. This should be used and added to the axios request.
Documentation detailing how to create integration tests for authenticated endpoints can be viewed here.