I have an endpoint in my API like: api/users/{:userId}/...
I only want the user with userId to have access to his own endpoint and not to the endpoints of any other user.
I implemented a JWT Bearer token, which is used for authorization. I get the id from it and check if it matches the route the user wants to access:
[HttpGet("{userId:int}"), Authorize]
public async Task<ActionResult> GetUserById([FromRoute] int userId)
{
var id = int.Parse(User.FindFirstValue(ClaimTypes.NameIdentifier));
if (id != userId)
{
return BadRequest("Access denied.");
}
var user = await unitOfWork.UserRepository.GetUserByIdAsync(userId);
if (user == null)
return NotFound("User not found");
return Ok(user);
}
Now, I don't think this is the correct approach. The token can easily be tampered with and the id changed. How else could I do this?
