Have a windows-authenticated (Intranet) .net core web app.
Since the user has already been authentication, that part is done. I dont care about claims etc. Just want to run a simple check of the users name against a list (from sql). Any valid domain user can access the site, however we want to check the user against a custom list and a few other checks in the Db to see if they can get to this api.
What am I missing or whats left to use this as a api action attribute? The idea would be to use this at the controller level.
public class ApiAuthFilter : IAuthorizationFilter
{
public void OnAuthorization(AuthorizationFilterContext context)
{
var httpContext = context.HttpContext;
// get user name
string userName = httpContext.User.Identity.Name;
// check against list to see if access permitted
if(!CheckUser(userName) ) {
context.Result = new ForbidResult();
}
}
}