Get authenticated user about convey HOT 6 CLOSED

Ok, understood.
You shouldn't return status codes from handlers - authentication and authorization should be a different middleware (being run before you actually hit your handlers, etc.). In that case, you can do simple extension methods such as this one. Within handlers, you can throw an exception, or build some additional decorators on top of them that will validate the incoming requests and plug it into the pipeline.

from convey.

Hey,
Are you looking for a way to get the UserId (which can be any string) from the existing token? If that's the case, the solution is quite simple - it's a sub claim, that you can get directly from JWT as its base64 encoded string (as you suggested) unless I'm not understanding you correctly.

from convey.

Sorry, to clarify - I don't see how to get the JWT token. Am I supposed to just inject an instance of IHttpContextAccessor and pull it from the headers myself? If so, that's not a big deal. You have other services, middleware and services for interacting with auth but I didn't see anything explicit to pull the principle identity out easily.

Also, I'm not able to see an example for returning 401 Unauthorized. I've seen how to send back a 201 Created and a 404 Not Found but I can't see how I am supposed to send back the 401 or mark a resource as requiring authorization in order to be hit. Again, if I have to manually check the auth for each resource handler then that's fine. If that's the case then I'll need to send back the 401 status code some how to the client.

from convey.

Thanks for the clarification. Well, to get a token, you could use IHttpContextAccessor and pull it from the header as a string (it can be wrapped into a simple extension method), actually, I didn't think back then it might be needed.

Everything works with a standard authentication & authorization middleware, meaning that you can simply put [Authorize] attribute on top of your controllers/actions or add a custom middleware that might check the role/claims and set 401 response directly.

Speaking of custom methods such as Created(), NotFound() etc. - Unauthorized(), Forbidden() and a few have others have been just added.

from convey.

@spetz What if I'm just using handlers directly without any MVC middleware? All that I'm able to return back is a Task on the Command handlers and the handler for Queries is constrained to the response body type of T. I'm not sure how to specifically return back an HTTP status code from within a handler when not using MVC controllers.

For instance, in this handler I can't return 401 Unauthorized if I grab the token via IHttpContextAccessor and determine this user is not authorized to hit use this query handler.

To your point about a custom middleware, I could do that. I'd have to do route inspection, discover the handler I'm routing to and compare against a store or attribute on what the required claims are per handler route. I can go that route - it wouldn't be a small amount of effort so I was hoping I had missed something and you had a means to handle it without MVC :)

from convey.

@spetz Awesome thanks for the guidance. I'll work towards handling things that way.

from convey.