0

I want to make a quick, safe and nice application. For many years I have been programming in PHP and regular ASP. But wanted to go on with .NET and vue.js. So I have an idea, I wanted to create and plan to do it like this: I was thinking of using hosting from an external service. Then I would have three projects:

  1. domain.com/index - Vue.js which will be a SPA, where the user can filter through a catalog, press like and send few api requests (mainly get-requests).
  2. secure.domain.com - Here I will have a .net mvc project where I can use identity. This will make it simple to handle/register users. I will also give the correct session here for authenticated users. And it will affect domain.com/index, where they only are allowed to do some of the things if they are logged in
  3. api.domain.com - This will be the webapi api. Only authenticated users will be allowed to send some of the requests.

I have used several weeks at looking into how to structure this.

But as I do not have much experience with this. What pitfalls and bad consequences do you see in structuring it like this? Are there any heads up you want to give me? Or any other recommendations? I have been trying to melt all of this together in one project, but that has been difficult, because they operate in different ways. So now I have ended up with this, and look forward to

Size of project

It will be a relative small project. People should be able to register/authenticate themselves (through facebook/google/server login).

Authenticated People should be able to add records(links) to a database. When adding this to the database they may also want to upload files, and choose some additional information.

All people should be able to filter through the catalog of records (5000+) ( Here I am using vue.js/vuex/axios). Here they should be able to comment too on links too.

Webapi will have 8 entities/tables and one view which will GET all the information. 3 tables should be able to have POST.

So it is more or less a catalog, where people should be able to add records and find new ones.

I was planning to use the identity from asp.net core 3.1. It is a "template" where I can easily add 3rd party logins. (https://learn.microsoft.com/en-us/aspnet/core/security/authentication/identity?view=aspnetcore-3.1&tabs=visual-studio)

Additional questions:

Can you tell me how request from SPA will be authenticated in your API? (Jwt or cookie)? Why would you like to have a separate identity service, also Why you would like to use asp.net identity (is it because of ease of setup)?

I have not been thinking about authenticating API requests. Was thinking to only have authenticated users who can send POST-requests. And the rest will be get requests. Limited only from the server. Should I have some additional authentication? Does JWT make web APIs safe enough for my use?

Was thinking of using .net identity because it is simple. And I don't want to use time on setting it up.

jps
  • 20,041
  • 15
  • 75
  • 79
GerryMM88
  • 211
  • 2
  • 13
  • Welcome to stackoverflow. Smarterasp.com would only be used for hosting, correct? If so, can you remove it from your question since it does not matter for the answer? – Bernard Vander Beken Aug 10 '20 at 07:53
  • Can you provide a bit more inputs like how big the project is (e.g full blow ecommerce app or internal projects etc.), the end users (e.g are they internet traffic or intranet), will there be any reporting, data visualization use cases? Do you need cms? Who are your identity provider (e.g social login, azure ad, inhouse etc.)? – Vivek Bani Aug 10 '20 at 07:57
  • @RajdeepDebnath Thank you. I have tried to add some more information. – GerryMM88 Aug 10 '20 at 08:17
  • Thanks, this is great, a few more questions. Can you tell me how request from SPA will be authenticated in your api? (Jwt or cookie)? Why would you like to have separate identity service, also Why you would like to use asp.net identity (is it because ease of setup)? – Vivek Bani Aug 10 '20 at 08:55
  • @RajdeepDebnath I am not familiar with jwt, but have tried to respond to the rest. Thank you for your patience :-) – GerryMM88 Aug 10 '20 at 09:12
  • Thanks, so here comes the question how the api will know if the post is from an authenticated user? – Vivek Bani Aug 10 '20 at 09:29
  • I was thinking that all authenticated users should have a session[Loggedin] = true, and in the controller of the api request I will check if the user has this session. – GerryMM88 Aug 10 '20 at 09:35
  • So it looks to me this is something to think of. So if Asp.net identity sets up a cookie and you want to use it for authentication in your api (if it's subdomain) then you need to specify the cookie in Set-Cookie header and api should parse the cookie to populate authenticated user. This is the are to look in. – Vivek Bani Aug 10 '20 at 09:40

1 Answers1

0

Since this is your first project of this type, I would recommend to keep it simple.

Just create one web site. Otherwise you might get issues with the cookies not working for subdomains and you will also get issues with CORS. That is, you will get all problems at the same to time (configuration issues, infrastructure issues and the pain from writing the application itself).

You can still have a clean separation by using sub folders (or Areas in MVC) and by using class libraries for the backend (API) business logic.

Once you have mastered the basics (i.e. writing the actual application) you can start looking at other means of separation etc.

jgauffin
  • 99,844
  • 45
  • 235
  • 372
  • Will there be CORS issues if they are all on the same domain? Like secure.catalog.com, and catalog.com? – GerryMM88 Aug 10 '20 at 08:44
  • Look simple to have sessions work on every subdomains: https://stackoverflow.com/questions/41872524/how-can-i-share-session-among-subdomains-in-asp-net-core – GerryMM88 Aug 10 '20 at 08:45
  • Yes, there will be. It's possible to use wildcard as allowed domain, but that defeats the purpose of CORS. Your links have nothing to do with CORS. – jgauffin Aug 10 '20 at 10:20