Last post Sep 08, 2015 02:20 AM by Li Wang
Sep 07, 2015 09:48 AM|The_Doctor|LINK
I have the following setup WebAPI
hosted on IIS with OWIN token authentication
with the following scenario:
Now I want to ensure and authorize a request to edit the personal resource such that only the owner (e.g. the user whose profile is) can modify any field.
After the request to modify this resource arrives, I want to check that the caller(taken from the request) is the same as the one from HttpContext
(so that is someone modifies the publicly available id in his request to be denied the edit command).
Remember that in my request I keep the ID of the user, while on HttpContext.Current.User.Identity
contains the email. At this point I can make a call to the user manager and search the database for the user with the email from HTTPContext and check if the IDs are equal. But this requires me to question the database even before I start actually executing
the command (so from the performance point of view is not perfect).
Is there a way I can populate HttpContext with the ID
(among with the email or change the Name
property from User.Identity
to ID) so I can have something like
(since I think I can't modify that object - obvious reasons)? Or
to give me the ID.
Or is it ok at all to use HttpContext
EDIT: After looking around the Locals during an API call, I have come across several places from where I can retrieve the Identity:
While I feel that the last one (so: User.Identity.Name) could be the one I can use regardless of the application type (so I can call from a web browser, desktop application, mobile application), I am not quite sure.
Also, is there any way I can populate the Identity
with my ID?
(Also posted on Stack Overflow)
Sep 08, 2015 02:20 AM|Li Wang|LINK
Thank you for your post.
At this point I can make a call to the user manager and search the database for the user with the email from HTTPContext and check if the IDs are equal. But this requires me to question the database even before I start actually executing the command (so from
the performance point of view is not perfect).
That's the easiest and best way.
You also could get the user name by this property. Identity system will code user name to cookie. Next time cookie come back, the identity system could get the user name.