private void attachUserToContext(HttpContext context, IUserLoginService userLoginService, string token)
{
try
{
var tokenHandler = new JwtSecurityTokenHandler();
var key = Encoding.ASCII.GetBytes(_appSettings.Secret);
tokenHandler.ValidateToken(token, new TokenValidationParameters
{
ValidateIssuerSigningKey = true,
IssuerSigningKey = new SymmetricSecurityKey(key),
ValidateIssuer = false,
ValidateAudience = false,
// set clockskew to zero so tokens expire exactly at token expiration time (instead of 5 minutes later)
ClockSkew = TimeSpan.Zero
}, out SecurityToken validatedToken);
var jwtToken = (JwtSecurityToken)validatedToken;
var userId = int.Parse(jwtToken.Claims.First(x => x.Type == "id").Value);
// attach user to context on successful jwt validation
context.Items["UserLogin"] = userLoginService.GetById(userId);
}
catch
{
// do nothing if jwt validation fails
// user is not attached to context so request won't have access to secure routes
}
}
public IActionResult GetById(Guid id)
{
var user = _userLoginService.GetById(id);
if (user == null)
{
return(NotFound());
}
// Only administrators can access other users.
var currentUserId = Guid.Parse(User.Identity.Name);
if (id != currentUserId && !User.IsInRole(Role.Admin))
{
return(Forbid());
}
return(Ok(user));
}