data security for different users

[truthz03]

Hi,

I'm using the WebServerAgent because my client is a Blazor Webassembly.
Now I have to add some filters to sync only data for the current user.

Is it possible to add some parameters inside the RestApi controller where webServerAgent.HandleRequestAsync will be called?
My filter is WHERE UserId = xxx and the user id will be available by the .Net authorization stuff. I don't want to configure the filter parameters inside the client because this means that everybody can send whatever the want to get data from other user.

Are these filters save in any case. If I filter by UserId, is it possible to manipulate data for other users (add/modify/delete) on the server?

[Mimetis]

you have AdditionalProperties in the SyncContext object you can use:

From the client side:

var webRemoteOrchestrator = new WebRemoteOrchestrator(serviceUri);
var agent = new SyncAgent(clientProvider, webRemoteOrchestrator, options);

webRemoteOrchestrator.OnHttpSendingRequest(args =>
{
    if (args.Context.AdditionalProperties == null)
        args.Context.AdditionalProperties = new Dictionary<string, string> { { "A", "1" } };
});

From Server side, in your controller:

var webServerAgent = context.RequestServices.GetService<WebServerAgent>(

webServerAgent.OnHttpGettingRequest(args =>
{
    Assert.NotEmpty(args.Context.AdditionalProperties);
    Assert.Single(args.Context.AdditionalProperties);
});

You can also use the headers from your request. You can use the AddCustomHeader from the WebRemoteOrchestrator:

var webRemoteOrchestrator = new WebRemoteOrchestrator(serviceUri);
webRemoteOrchestrator.AddCustomHeader("Key", "Value");

[truthz03]

AdditionalProperties and AddCustomHeader is both on the client side.
Is it also possible to add parameters on the server side?

Currently I use this code inside the Client

var parameters = new SyncParameters(
    (nameof(IUserParentEntity.UserId), userId)
);
await _agent.SynchronizeAsync(parameters, _progress);

but with this method a user can send any userId, not only its own!

I want to use the user from the Authorization header inside the server.

[HttpPost]
[Authorize]
public async Task Post()
{
    var user = await _authService.GetUser(HttpContext.User.GetUserId());
    var parameters = new SyncParameters(
        (nameof(IUserParentEntity.UserId), user.Id)
    );
    await _webServerAgent.HandleRequestAsync(HttpContext, HttpContext.RequestAborted);
}

But how to add user.Id as parameter inside the Post method?

[Mimetis]

You have an example here : https://github.com/Mimetis/Dotmim.Sync/blob/master/Samples/HelloWebAuthSync/HelloWebAuthSyncServer/Controllers/SyncController.cs

In the controller, the user id extracted from the bearer token is used and injected as a paramter.
The code is in comments (for no reason, I 've probably made some tests and commit the modification, sorry about that) but it's a good starting point

[truthz03]

Thanks for that answer. That helped a lot :)

Only for my understanding.
If I add an UserId Filter on every table in the backend, is it possible for any client to change data (delete, add, modify) for other users?
I only need to know if this mechanism is safe against cyber attacks ^^

[Mimetis]

it's nothing related to DMS, it's up to your implementation :)