My api uses JWT (Encrypted) . It contains the user role ,user id , tenant id.
I am already done with securing the cross tenant access. I just compare the tenant id of the resource being requested to that of the tenant id on the token.
I have the following data relationships:
1. An application has a module.
2. A tenant has a subscription.
3. A subscription has multiple applications. (each subscription has different modules activated for each application)
4. A tenant has multiple users
5. A tenant has multiple roles
6. A tenant has roles mapped to a particular module . ( can only map modules that are activated on current subscription for a specific application)
I have a management portal to manage all data (this is considered as an application). It is a SPA built with AngularJS. I want to secure specific modules based on these relationships.
On my WebAPI . This is my current solution. I decorate each endpoint with an ActionFilterAttribute with the module name as parameter. Inside that filter attribute I get the current users available module and compare if that module on the parameter is on that list.
[AttributeUsage(AttributeTargets.Method | AttributeTargets.Class)]
public class ModuleFilterAttribute : ActionFilterAttribute
{
private readonly string _module;
private UserService _userService;
public ModuleFilterAttribute(string module)
{
_module = _module;
_userService = new UserService();
}
public override void OnActionExecuting(HttpActionContext filterContext)
{
if (!string.IsNullOrEmpty(_module))
{
var request = new GetCurrentUserDetailsRequest
{
RequestId = filterContext.RequestContext.Principal.Identity.GetUserId(),
AppId = ConfigurationManager.AppSettings["ApplicationId"].AsGuid()
};
var userDetails = _userService.GetCurrentUserDetails(request);
var modules = userDetails.UserDetails.Module.Select(s => s.Code).ToList();
if (!modules.Any(s => s.Equals(_module)))
{
throw new AccessDeniedException();
}
}
base.OnActionExecuting(filterContext);
}
}
My dilemma is on a certain module (page) I use different endpoints and some of these endpoints are also used on other pages. An application module page has all the CRUD endpoints. A subscription module page has all the CRUD endpoints, but also a dropdown that uses the application endpoint to list all available applications.