Best practice: User Identites as parameters?

Question

I am currently developing an API with ASP.NET in C#.

One endpoint needs to call another in order to return a value.

public class Testcontroller : BaseApiController
{
    [Authorize]
    [HttpGet]
    [Route("1", Name = "F1")]
    public async Task<IHttpActionResult> F1()
    {
        return await F2(); // calls 2nd method
    }

    [Authorize]
    [HttpGet]
    [Route("2", Name = "F2")]
    public async Task<IHttpActionResult> F2()
    {
        int I = 2;
        return Ok(I.ToString());
    }
}

Ok, the returned value of this whole thing will be 2, which is absolutely fine. However, in the real API, the second methods needs to retrieve some data about the user. That is normally handled with

var Name = ClaimsPrincipal.Current.Identity.Name;
var CurrentUser = await this.AppUserManager.FindByNameAsync(Name);

These two lines get the user information through the bearer token, that is passed to the method through the authorization process.

Considering this, the first function could call the other one. The downside is that those two LOCs for the user data do not work because this token is not passed properly.

How would you suggest working around this problem? I thought about adding an optional parameter and passing the CurrentUser through that. But I thought that might cause some issues in terms of security?

Thanks for your help!

Answer 1

Firstly don't use ClaimsPrincipal.Current. In Controllers you have a User property, that's where the identity is. ClaimsPrincipal.Current is a hang over from .NET 3.5. If you are going to move to .NET Core, then the User property is the right way to do it.

In response to your actual question there's no security issues in passing that through to other functions outside your controller.