-
Notifications
You must be signed in to change notification settings - Fork 16
Authorisation
zysim edited this page May 15, 2022
·
1 revision
This is a WIP for now, to keep track of what I've done in the authZ PR. Also; "authorisation" is spelt "authorization" in the code.
- We use JWTs for authN and authZ
- We currently have three user types:
- admins;
- mods; and
- normal users.
We use policy-based authz, where a policy maps to a user type. All authz-related files are in LeaderboardBackend/Authorization:
LeaderboardBackend/Authorization
├── JwtSecurityTokenHandlerSingleton.cs // For UserTypeAuthorizationHandler
├── MiddlewareResultHandler.cs // To return 404s on Forbiddens
├── TokenValidationParametersSingleton.cs // Parameters for JWT validations
├── UserTypeRequirement.cs // Requirement data class for policies
├── UserTypeAuthorizationHandler.cs // Policy handler
└── UserTypes.cs // Data class listing our user types
Default and fallback policies check if a valid, authenticated user is calling the endpoint. Ergo, no [Authorize] attributes above corresponding controller actions. For admins and mods, e.g. [Authorize(Policy = UserTypes.Admin)] will be above an action.
Thanks for considering contributing to LB.GG 😌