Let's restrict the action method that is returning the customer profile details, the GET method of CustomersController named GetCustomers([FromRoute] Guid id).
We will verify the following two things when a customer is trying to access the profile:
- The request is coming from a trusted user of the application. Meaning, the request is coming from a customer having a valid email and password.
- The customer can only access their profile. To check this, we will verify the customer's credentials (present in the request) with the requested customer's ID on the URL.
Let's get started. Remember that our goal is to achieve the following:
[Authorize(AuthenticationSchemes = "Basic")]
public async Task<IActionResult> GetCustomers([FromRoute] Guid id)
For now, we will focus our attention on this action method to understand the concept. You can see the Authorize attribute with an AuthenticationScheme defined as Basic here. That means we have to tell the runtime what the basic authentication is so that it will execute that first before going into the action method.
If the authentication succeeds, the action method will be executed, otherwise a 401 Unauthorized response will be sent to the client.