Re: Securing a multitenant-api based on app/subscriptions/modules/roles

[Andrew B]

What's your question?

On Friday, 9 September 2016 16:48:11 UTC+12, AR wrote:

My api uses  JWT (Encrypted) . It contains the user role ,user id , tenant id.

I am already done with securing the cross tenant access. I just compare the tenant id of the resource being requested to that of the tenant id on the token. 

I have the following data relationships:

1. An application has a module.

2. A tenant has a subscription.

3. A subscription has multiple applications. (each subscription has different modules activated for each application)

4. A tenant has multiple users

5. A tenant has multiple roles

6. A tenant has roles mapped to a particular module . ( can only map modules that are activated on current subscription for a specific application)

I have a management portal to manage all data (this is considered as an application). It is a SPA built with AngularJS. I want to secure specific modules based on these relationships.

On my WebAPI . This is my current solution. I decorate each endpoint with an ActionFilterAttribute with the module name as parameter. Inside that filter attribute I get the current users available module and compare if that module on the parameter is on that list.

    [AttributeUsage(AttributeTargets.Method | AttributeTargets.Class)]
    public class ModuleFilterAttribute : ActionFilterAttribute
    {


        private readonly string _module;
        private UserService _userService;


        public ModuleFilterAttribute(string module)
        {
            _module = _module;
            _userService = new UserService();
        }


        public override void OnActionExecuting(HttpActionContext filterContext)
        {
            if (!string.IsNullOrEmpty(_module))
            {
                var request = new GetCurrentUserDetailsRequest
                {
                    RequestId = filterContext.RequestContext.Principal.Identity.GetUserId(),
                    AppId = ConfigurationManager.AppSettings["ApplicationId"].AsGuid()
                };


                var userDetails = _userService.GetCurrentUserDetails(request);
                var modules = userDetails.UserDetails.Module.Select(s => s.Code).ToList();


                if (!modules.Any(s => s.Equals(_module)))
                {
                    throw new AccessDeniedException();
                }
            }


            base.OnActionExecuting(filterContext);
        }
    }

My dilemma is on a certain module (page) I use different endpoints and some of these endpoints are also used on other pages. An application module page has all the CRUD endpoints. A subscription module page has all the CRUD endpoints, but also a dropdown that uses the application endpoint to list all available applications.

[Andrew B]

To me your question is really broad, which makes it hard to answer. I like the stackoverflow quidelines for questions http://stackoverflow.com/help/how-to-ask:

Pretend you're talking to a busy colleague and have to sum up your entire question in one sentence: what details can you include that will help someone identify and solve your problem? Include any error messages, key APIs, or unusual circumstances that make your question different from similar questions already on the site.

On Saturday, 10 September 2016 15:56:51 UTC+12, AR wrote:

Sorry my question is how should I implement this any suggestions? I need help solving my problem.

My dilemma is on a certain module (page) I use different endpoints and some of these endpoints are also used on other pages. An application module page has all the CRUD endpoints. A subscription module page has all the CRUD endpoints, but also a dropdown that uses the application endpoint to list all available applications.