Challenge: Enforcing Role-Based Authorization

Test yourself by enforcing role-based authorization on web API endpoints.

We'll cover the following

Overview

In this challenge, you have a mock application that represents the back-end API of a social network. In its initial state, all endpoints are accessible without any authentication or authorization, which is an obvious security risk. You need to enforce authentication and authorization based on the specified requirements.

Requirements

In the playground below, you have two controller classes:

  • ContentController: It contains the endpoints that allow users to view and post content on the social media app.

  • ManagementController: It contains the endpoints that can be used for configuring the app.

You need to apply the following changes to the controller endpoints:

The ContentController controller class

  • The GetHomepageTimeline endpoint method should be accessible without authentication because it returns the content that populates the public home page of the social network.

  • The GetPersonalTimeline endpoint method should be accessible only by authenticated users with the user role because it represents personalized content for the timeline of an individual user.

  • The CreatePost endpoint method should only be accessible only by authenticated users with the user role because it represents the publication of a post made by a user.

  • The DeletePost endpoint method should be accessible only by authenticated users with either the user or admin role. Users should be able to delete their own posts. However, admins should be able to delete any posts.

The ManagementController controller class

  • The GetManagementConsole endpoint method returns the current values of the platform settings and should only be accessible by users with the admin role.

  • The GetApplicationHealth endpoint method is used to poll the application to check whether the back-end API is running. Therefore, it should be accessible by any anonymous process.

  • The UpdateSettings endpoint method is used for updating the application settings. It should only be accessible by users with the admin role.

  • The GetUserDetails endpoint is used for viewing the data of any specific user. Only people with the admin role should have access to this.

  • The DeleteUser endpoint method is used to delete a user. To be able to do this, a person must have the superadmin claim specified in the JWT associated with their account.

Note: Ensure that you are following the best practices of enforcing the authorization requirements.

Get hands-on with 1400+ tech skills courses.