C
C#•4mo ago
Bordin

Securing API with jwt

Hey, I am building the apis for the user. After user logs in he receive a JWT token which gives him access to the rest of the APIs. He now have access to updating his profile picture API which requests two things 1- picture (PNG, gif, jpeg) 2- his Id After filling these the APIchecks if the id matches the IDhe has in his JWT with claims. If they don't the api will return "Unauthorized". However a user can easily mess around with JWT and change the claims values. He can change the role from User to Admin, he can change his Id in the claims too! I can stop asking the user for the id and just get it directly from the jwt token, but it is still not secure enough. thank you for your help
No description
15 Replies
Bordin
Bordin•4mo ago
[Authorize]
        [HttpPut("UpdatePfp")]
        public async Task<IActionResult> UpdateProfilePicture([FromForm] UpdateUserProfilePicture ProfilePictureResources)
        {
            try
            {
                var userIdClaim = User.FindFirst(ClaimTypes.NameIdentifier);//userid from the jwt
                if (userIdClaim == null)
                {
                    // Handle case where user ID claim is missing
                    return Unauthorized();
                }
                string userId = userIdClaim.Value;//the value of the userid from the jwt
                
                var userResource = _mapper.Map<UpdateUserProfilePicture, User>(ProfilePictureResources);
                User user =await _userService.GetUserById(userResource.UserId);
                if(user.UserId.ToString() != userId)
                {
                    return Unauthorized(ModelState);
                } 
                ...  //update image   
[Authorize]
        [HttpPut("UpdatePfp")]
        public async Task<IActionResult> UpdateProfilePicture([FromForm] UpdateUserProfilePicture ProfilePictureResources)
        {
            try
            {
                var userIdClaim = User.FindFirst(ClaimTypes.NameIdentifier);//userid from the jwt
                if (userIdClaim == null)
                {
                    // Handle case where user ID claim is missing
                    return Unauthorized();
                }
                string userId = userIdClaim.Value;//the value of the userid from the jwt
                
                var userResource = _mapper.Map<UpdateUserProfilePicture, User>(ProfilePictureResources);
                User user =await _userService.GetUserById(userResource.UserId);
                if(user.UserId.ToString() != userId)
                {
                    return Unauthorized(ModelState);
                } 
                ...  //update image
Pobiega
Pobiega•4mo ago
The last section of a JWT is the signature If the token is modified in any way, the signature will be incorrect So just validate the signature as part of the pipeline
Bordin
Bordin•4mo ago
doesn't asp.net validate the signature on its own?
Pobiega
Pobiega•4mo ago
Asp has no built in support for JWTs at sll
Bordin
Bordin•4mo ago
Bearer i mean
Pobiega
Pobiega•4mo ago
So what are you using for it?
Bordin
Bordin•4mo ago
 services
                .AddAuthorization()
                .AddAuthentication(options =>
                {
                    options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
                    options.DefaultScheme = JwtBearerDefaults.AuthenticationScheme;
                    options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
                })
 services
                .AddAuthorization()
                .AddAuthentication(options =>
                {
                    options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
                    options.DefaultScheme = JwtBearerDefaults.AuthenticationScheme;
                    options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
                })
shouldnt thise do it? let me test this and modify the jwt
Pobiega
Pobiega•4mo ago
are you doing AddAuthentication().AddJwtBearer(...) somewhere?
Bordin
Bordin•4mo ago
you were right 
 access-control-allow-origin: * 
 content-length: 0 
 date: Sat,03 Feb 2024 15:54:06 GMT 
 server: Kestrel 
 www-authenticate: Bearer error="invalid_token",error_description="The signature key was not found" 
 access-control-allow-origin: * 
 content-length: 0 
 date: Sat,03 Feb 2024 15:54:06 GMT 
 server: Kestrel 
 www-authenticate: Bearer error="invalid_token",error_description="The signature key was not found"
Pobiega
Pobiega•4mo ago
and all you did was modify the claims right? you didnt outright remove the signature
Bordin
Bordin•4mo ago
No i just modified the claims
Pobiega
Pobiega•4mo ago
k good 🙂
Bordin
Bordin•4mo ago
Okay so do i even need to ask for the users id in the api? since i have it in the token
Pobiega
Pobiega•4mo ago
probably not
Bordin
Bordin•4mo ago
this is awesome and so secure thank you!
Want results from more Discord servers?
Add your server
More Posts
✅ how to set bigger font size than this part in the visual studio?how to set bigger font size than this part in the visual studio? that font's size is small.. I wannaWeb API Blazor Assembly test api on postmanhy i tried to create a simple API using blazor web assembly and try to get id with postgresSQL, aftBug in c#, with the Dll Importer.Hello, I'm encountering an issue with the .dll importer in C#. It's a bit puzzling because it seems Why Events Inserted Twice by EF Core?Hi guys hope you're doing well, I'm working on the following project : https://github.com/MbarkT3STO✅ HashCode returning different numbers when parsing the same valueI pass 0, 420 into HashCode.Combine, but when they are in different files the hashcode does not retuReferencing between Two ProjectsI have one using WPF and another using ASP.NET Web api. Now I am running the server from wpf projectBlazor rerenderCan i somehow make blazor rerender when property change automatically whereever property change? I dCan't see TextMeshPro when loading in VR, but can in game view.Can't see TextMeshPro when loading game in VR, but can in game view. I have a script that Prints thPracticing basics of c#im tryna practice my coding basics with c# and made a rock paper scissors game. It works perfectly fdotnet 8 redirects [Authorize] Tagged endpoints to /Account/LoginFor example request sent in swagger at /Api/Subscription Goes to /Account/Login?ReturnUrl=%2Fapi%2FS