S
S
ShinShil2018-07-26 21:44:22
Angular
ShinShil, 2018-07-26 21:44:22

How to understand where authentication takes place in a solution from several asp web api + angularjs projects?

I recently started maintaining a large web project that was not written by me.
The project consists of several subprojects, each of which runs on its own server: AuthApi, WebApi, Web, Reports - see the screenshot below. All projects are web api 2 and Web is mvc application which returns angularjs spa.
5b5a0fdad811a801784463.png
I can't figure out how authentication works.
Searching the project did not find any references to AuthApi within the WebApi project, however, only authenticated requests are allowed. Moreover, authentication is required when requesting the Web, and when requesting WebApi controllers. In WebApi, I also did not find any mention of AuthApi. However, it somehow works...
AuthApi uses OAuthAuthorization and ApplicationUserProvider, after setting breakpoints there and debugging, I was able to figure out how it works. But the methods that looked are called only when the user logs in. When the page is refreshed, everything works somewhere inside, I assume that all the information is saved in the session and gets it automatically.
Another weird thing is that each of WebApi and AuthApi does the app.UseOAuthBearerAuthentication setting. Moreover, in AuthApi it is many times more sophisticated.
A bug forced me to go deeper, during the solution of which it turned out that inside the WebApi controllers - ICurrentUser.User == null . I have a hunch that this is due to the fact that CurrentUser only exists within AuthApi
I want to somehow find where authentication is checked, and see where CurrentUser comes from. And then try, if necessary, somehow using autofac in WebApi to set up receiving ICurrentUser from the AuthApi context.
PS. Knowledge is sorely lacking; very, very much different material on this topic, which I have already read, became clearer in my head, but the problem has not yet been solved. Perhaps any piece of information will help you find which way to dig.

Answer the question

In order to leave comments, you need to log in

1 answer(s)
R
Roman, 2018-07-27
@ShinShil

All the magic here is UseOAuthBearerAuthentication. After authorization, a JWT token is transmitted to SPA, in which CurrentUser is stored in encrypted form, when requesting WebAPI, SPA transmits a JWT token in the HTTP header, and the API checks the validity of the token and decrypts it by pulling out the saved user. You just need to set up JWT authorization in WebAPI, as is done in AuthApi.

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question