Home Management System, which is .NET-based. Blazor & MVC as web clients, consuming from a Web API. Services operating with a custom ORM framework, retrieving data from a SQL Server database.
Currently, the authentication is purely basic hardcoded sessions and cookies.
Research and check out how it is done now.
We create sessions with headers such as: CurrentUserID, CurrentHomeID, etc.
If these are present, then we assume user is 'authenticated'.
As you finish your research on the current code base, you will agree this needs to be dropped.
OK, build a real authentication flow.
Current structure of the platform:
Web application -> API layer -> Infrastructure & services -> ORM
Do we need authentication both on web and api layer?
Let's say I try signing in:
After I enter my credentials, will they encoded/encrypted somehow, while being on the server side?
Will the web layer send the encrypted credentials to api layer to actually authenticate?
Should the api layer have a certificate? Or is this for another story?
We want to drop the current 'authentication', but preserve the ability to have global variables, such as CurrentUserID and CurrentHomeID. Check out BaseController, where they are being initialized, in the web layer.
Propose your solution here, after doing a proper research, for me to check out. We will do a call on this discussion here before we proceed doing the changes.
Currently, the authentication is purely basic hardcoded sessions and cookies. Research and check out how it is done now. We create sessions with headers such as: CurrentUserID, CurrentHomeID, etc. If these are present, then we assume user is 'authenticated'.
As you finish your research on the current code base, you will agree this needs to be dropped.
OK, build a real authentication flow.
Current structure of the platform: Web application -> API layer -> Infrastructure & services -> ORM
Do we need authentication both on web and api layer? Let's say I try signing in: After I enter my credentials, will they encoded/encrypted somehow, while being on the server side? Will the web layer send the encrypted credentials to api layer to actually authenticate? Should the api layer have a certificate? Or is this for another story?
We want to drop the current 'authentication', but preserve the ability to have global variables, such as CurrentUserID and CurrentHomeID. Check out BaseController, where they are being initialized, in the web layer.
Propose your solution here, after doing a proper research, for me to check out. We will do a call on this discussion here before we proceed doing the changes.