Centeva.RequestAuthorization 2.0.0

Centeva Request Authorization

Centeva.RequestAuthorization is a .NET library that provides a method for authorizing MediatR requests via a set of defined requirements.

This enables authorization at the request level instead of inside ASP.Net Core controllers, separating authorization logic from the presentation layer.

Built With

• .NET 8

Installation

Import the Centeva.RequestAuthorization package to your projects where needed, along with the desired provider sub-packages:

Dependency Injection

Register authorizers, requirement handlers, and the MediatR pipeline behavior in your DI container:

services.AddRequestAuthorization(typeof(DeleteItemAuthorizer).Assembly);

Alternatively, register authorizers, handlers, and the pipeline separately:

builder.Services.AddRequestAuthorizersFromAssembly(typeof(DeleteItemAuthorizer).Assembly);
builder.Services.AddRequestAuthorizationHandlersFromAssembly(typeof(MustBeItemOwnerHandler).Assembly);

builder.Services.AddMediatR(cfg =>
{
    cfg.RegisterServicesFromAssembly(Assembly.GetExecutingAssembly());
    cfg.AddOpenBehavior(typeof(RequestAuthorizationBehavior<,>));
});

Authorization Requirements

Implement IRequestAuthorizationRequirement and IRequestAuthorizationHandler<TRequirement> to create reusable authorization rules:

public class MustBeItemOwnerRequirement : IRequestAuthorizationRequirement
{
  public int UserId { get; set; }
  public int ItemId { get; set; }
}

public class MustBeItemOwnerHandler : IRequestAuthorizationHandler<MustBeItemOwnerRequirement>
{
  public MustBeItemOwnerHandler(IItemRepository itemRepository)
  {
    _itemRepository = itemRepository;
  }

  public async Task<AuthorizationResult> Handle(
    MustBeItemOwnerRequirement requirement, 
    CancellationToken cancellationToken)
  {
    var item = await _itemRepository.Get(requirement.ItemId, cancellationToken);

    if (item != null && item.OwnerId == requirement.UserId)
      return AuthorizationResult.Succeed();

    return AuthorizationResult.Fail("Must be the owner of this item");
  }
}

Each IAuthorizationHandler must return either a success or failure result based on the logic in the Handle method.

Request Authorizers

Derive from AbstractRequestAuthorizer<TRequest> and implement BuildPolicy to compose requirements for authorizing the given MediatR request:

public class DeleteItemAuthorizer : AbstractRequestAuthorizer<DeleteItemCommand>
{
  public DeleteItemAuthorizer(ICurrentUserService currentUserService)
  {
      _currentUserService = currentUserService;
  }

  public override void BuildPolicy(DeleteItemCommand request)
  {
      UseRequirement(new MustBeItemOwnerRequirement
      {
        UserId = _currentUserService.UserId,
        ItemId = request.ItemId
      });
  }
}

Contributing

Please use a Pull Request to suggest changes to this library. As this is a shared library, strict semantic versioning rules should be followed to avoid unexpected breaking changes.

Running Tests

From Windows, use the dotnet test command, or your Visual Studio Test Explorer.

Deployment

This library is versioned by GitVersion. Create a Git tag for an official release (e.g., "v1.0.0"). Version numbers can be incremented via commit message using the GitVersion approaches.

Resources

This is based heavily on this article: Handling Authorization In Clean Architecture with ASP.NET Core and MediatR from Austin Davies.