I'm developing a web API using C# .NET for the backend and React with Typescript for the frontend. I have everything set up to manage my SQLite database, but I have a crucial question about security. When a user logs in, they gain access to their own dashboard, but what happens if someone tries to access that same dashboard URL without being logged in? How can I ensure that sensitive methods can only be accessed by logged-in users? I've heard about using sessions and cookies, but I'm not really clear on how those actually operate.
Additionally, my app has different user roles, such as Admins, who have specific permissions. How do I identify the type of user that is logged in?
1 Answer
When a user logs in, you need to implement access validation to protect sensitive routes. Ensure that any URL requiring a login has a check in place that responds with a `403` or `404` status if the user is not authenticated. For logged-in users, the dashboard should only show data relevant to them, preventing access to someone else's information. You can find out more about authentication and authorization in the documentation provided by Microsoft for ASP.NET.
Also, managing user roles is an authorization challenge. Look into implementing role-based access control for your application, particularly in .NET. This will help you define what each user type can do and how to handle their permissions accordingly.
Got it! But could you explain how I let the backend know a user is logged in and identify their role, especially since I'm creating User and Admin objects in Typescript?