In this video, Nate explains how to build a user introspection endpoint that will return the details of the current user for an authenticated request.
- [Instructor] Now that the client can get an access token from the token route, let's add a simple route to the user's controller that will return the profile of the current user. This type of user introspection route is a common pattern for SPA and mobile apps. In the user's controller I'll add a new method above RegisterUserAsync. I'll call this method GetMeAsync, and it'll only accept a cancellation token, and that's it. We'll mark this with HttpGet, and say that the route template for this is /me.
We'll also add the Authorize attribute to this route. This is actually authentication, not authorization, so the attribute is kind of poorly named. The Authorize attribute tells ASP.NET Core to only let authenticated requests access this route. The User property on the Controller base class gives us a reference to the current authenticated user. We can do a quick sanity check and make sure that that's not null, if it is, we'll return BadRequest. We can use the User service to look up the user details for the current user.
We'll call GetUserAsync, which is a new method that we need to create, and we'll pass in that User object. If for some reason that comes back as null from the database we'll return NotFound, and once we have that data, we'll return it as ok. I'll let Visual Studio generate me the method step on the User service, we'll go to iUserService, we'll make this method return a user resource model, and the parameter accepts is of type ClaimsPrincipal, which is the type of the user property on the controller base class.
Now I'll go to the defaultuser service, and generate the method stub I need. To implement this method I'll use the userManager to pull the user details out of the database. So right here I can say var entity = _await _userManager, fortunately, the userManager already has a git method that will take a ClaimsPrincipal. Need to mark the method as Async, and then we'll use AutoMapper to map back from the database entity to a user resource model.
I need to import AutoMapper and call Map to User from the entity object. There is one more change we can make back in the Users controller, in the RegisterUser method, we're returning a 201 Created response when the user registers a new account. We can set the location header of this 201 response to our new introspection route. We'll return Created, and the URL we need can be generated by Url.Link, and passing the name of the GetMeAsync route. All right, we've made a couple of changes, so let's test the entire flow with Postman.
First I'll try an unauthenticated request to the user/me end point. This should fail with 401. RequestUser/me, and we get back 401 Unauthorized. If we send this same request with a proper valid access token, we should see a result here. So we need to post to the token route to get an access token for the current user. We can copy that access token result from the response and attach it to the Authorization header. This is a Barrer token so we'll say Barrer, space, and then the access token value.
Now let's send it and see what we get. Because we've now authenticated the user, we get back a 200 ok response. This is a simple example of requiring authentication for a route. We'll tackle more complex authorization needs next.
- REST vs. RPC
- Using HTTP methods (aka verbs)
- Returning JSON
- Creating a new API project
- Building a root controller
- Routing to controllers with templates
- Requiring HTTPS for security
- Creating resources and data models
- Returning data and resources from a controller
- Representing links (HREFs)
- Representing collections
- Sorting and searching collections
- Creating forms
- Caching and compression
- Authentication and authorization for RESTful APIs