✅ C# private endpoint security: How should it be done?
Hi,
I am working on a backend API which I want to be tightly coupled with Discord (some entity keys will be Discord snowflakes, like users and servers).
My private endpoints will look like this: /users/:userId/servers/:serverId
Because of this, I am trying to figure out how to go about authorization for my private endpoints. This is a bit tricky for me because I want to do a couple things:
- Validate route parameter input (snowflake regex)
- Verify user existence and ownership (ensure user ID provided in route matches the session identity user ID and that user exists in DB)
- Verify server existence and ownership (check with discord API on writes, check database on reads, only if this is an ideal approach)
As far as I know, I am sort of limited with my options(?), because I would prefer a custom failure response object (not just basic 401-404 which .NET provides for policies, route constraints or whatnot), the cheaper checks to run first (route validation and user ownership verification), and I want reusability for multiple private endpoints, or probably all?
What are my options? What do developers normally do in these type of situations?
Thanks for any help!
I am working on a backend API which I want to be tightly coupled with Discord (some entity keys will be Discord snowflakes, like users and servers).
My private endpoints will look like this: /users/:userId/servers/:serverId
Because of this, I am trying to figure out how to go about authorization for my private endpoints. This is a bit tricky for me because I want to do a couple things:
- Validate route parameter input (snowflake regex)
- Verify user existence and ownership (ensure user ID provided in route matches the session identity user ID and that user exists in DB)
- Verify server existence and ownership (check with discord API on writes, check database on reads, only if this is an ideal approach)
As far as I know, I am sort of limited with my options(?), because I would prefer a custom failure response object (not just basic 401-404 which .NET provides for policies, route constraints or whatnot), the cheaper checks to run first (route validation and user ownership verification), and I want reusability for multiple private endpoints, or probably all?
What are my options? What do developers normally do in these type of situations?
Thanks for any help!
