ASP.NET Core auth + roles
Hey everyone! I’m building an ASP.NET Core + React app and I’d love some advice on how to handle roles properly.
Current situation:
Users register as normal "User".
I have a flow where a user can “Become a Business” – when they do that, I update a field/role in the database (e.g. Role = "Business").
I’m using cookie authentication.
Right now, the auth cookie only contains basic claims (like user id / username) – I don’t include the role in the cookie/claims.
What I want to do now:
Only Business users should be able to create businesses.
I’m not sure what the best practice is here:
Should I load the user from the database on every request somehow and check if their role is "Business"?
Or should I add the role as a claim when the user logs in so it’s stored in the authentication cookie, and then just use something like [Authorize(Roles = "Business")] on the controller action?
And if the answer is to use role claims in the cookie:
What’s the recommended way to refresh the cookie after the user upgrades from User → Business?
Do I need to sign them in again, or is there a standard pattern for updating the claims?
Any guidance or examples would be super appreciated
Current situation:
Users register as normal "User".
I have a flow where a user can “Become a Business” – when they do that, I update a field/role in the database (e.g. Role = "Business").
I’m using cookie authentication.
Right now, the auth cookie only contains basic claims (like user id / username) – I don’t include the role in the cookie/claims.
What I want to do now:
Only Business users should be able to create businesses.
I’m not sure what the best practice is here:
Should I load the user from the database on every request somehow and check if their role is "Business"?
Or should I add the role as a claim when the user logs in so it’s stored in the authentication cookie, and then just use something like [Authorize(Roles = "Business")] on the controller action?
And if the answer is to use role claims in the cookie:
What’s the recommended way to refresh the cookie after the user upgrades from User → Business?
Do I need to sign them in again, or is there a standard pattern for updating the claims?
Any guidance or examples would be super appreciated
