Skip to content

Authorization sample for Rest Api on ASP.NET8 (refresh token, clean architecture, CQRS)

Notifications You must be signed in to change notification settings

gitEugeneL/ASP.NET-RestApi-authorization-sample

Repository files navigation

ASP.NET-RestApi-authorization-sample

Authorization sample for Rest Api on ASP.NET 8.

The project implements a clean architecture, CQRS pattern, Repository pattern.

Authorization is accomplished using a JWT access token and a refresh token. The access token is used to authorize the user, the refresh token is used to update a pair of tokens. The refresh token is recorded in the database and allows each user to have 5 active devices at the same time.

Main technologies

List of containers

  • database - MsSQL database container.

  • app - container for all application layers.

How to run the server

  1. Build and start Docker images based on the configuration defined in the docker-compose.yml.

     make up     // docker-compose up --build
    
  2. Stop and remove containers.

     make down   // docker-compose down
    

API documentation

  1. Swagger documentation

     http://localhost:5000/swagger/index.html
    

Implementation features

Registration

POST /api/auth/register(allows to create an account)
Parameters
name type data type
email required string
password required string
Responses
http code content-type response
201 application/json "0647ce88-2e36-421a-7314-08dbffe1c4a0"
409 application/json Entity: User (user@example.com) already exists
400 application/json Validation errors

Login

POST /api/auth/login(allows to login)
Parameters
name type data type
email required string
password required string
Responses
http code content-type response
200 application/json and HttpOnly Cookie {"accessToken": "eyJhbGc...", "type": "Bearer" } cookie: refreshToken=Wna@3da...; Expires=...; Secure; HttpOnly; Domain=...;
403 application/json Entity: User (user@exampe.com) doesn't exist or your password is incorrect
400 application/json Validation errors

Refresh

(Requires refresh token in the Cookies)

POST /api/auth/refresh(allows to refresh access and refresh tokens)
Parameters

Http Only cookie
refreshToken=WnaMQ3j...; Expires=Sat, 23 Dec 2025 16:01:54 GMT; Path=/; Secure; HttpOnly; Domain=...;

Responses
http code content-type response
200 application/json and HttpOnly Cookie {"accessToken": "eyJhbGc...", "type": "Bearer" } cookie: refreshToken=Wna@3da...; Expires=...; Secure; HttpOnly; Domain=...;
401 application/json Refresh token isn't valid
401 application/json Refresh token is outdated

Logout

(Requires JWT token in the header)

POST /api/auth/logout(allows to logout, deactivates the refresh token)
Parameters
  1. Valid access JWT Bearer token in the header
Responses
http code content-type response
200 application/json and remove HttpOnly Cookie No body returned for response
401 application/json No body returned for response