Authentication - malparty/keywords GitHub Wiki

Overview

Authentication is managed by Asp.net Core built-in "Identity" package.

For that reason, everything is in a different project Areas (./KeywordsApp/Areas/Identity). The views are scaffolded, so we are using "Razor pages" instead of "core mvc" (which is used by the rest of the app).

Edit performed

Password requirements

To register in the app, you need to provide a complex password that include digit as well as both lower and upper case letters.

This is configured in ./KeywordApps/Startup.cs file:

services.AddIdentity<UserEntity, IdentityRole>(options =>
{
    options.Password.RequireDigit = true;
    options.Password.RequireUppercase = true;
})

Email confirmation

To make "testing" simpler, I decided to NOT force email confirmation to facilitate your assessment. Though I would recommend this option for a real-life project.

The project still handle Emails in a proper way. I use Send Grid API to provide a clean and secure way to send emails. I have also configured the service so that I can be mapped to my domain name (malparty.fr) in order to send emails from a trusted domain. This way, the chances to get the confirmation email into the user Junk box are very low.

Email confirmation is handled in this folder: ./KeywordsApp/Areas/Identity/Services/.

Update AspNetIdentityUser table

  • Rename the table to be Users table, matching db naming conventions
  • Add Lastname, firstname (and updating Sign up and profile views)
  • Add FK to the CsvFiles entity

Enable 2x factor authentication via QRCode

The Identity package include everything needed to perform a 2 factor authentication. By default, the user needs to manually copy a long key into its smartphone app. This process has a bad user experience. For that reason, I went the next step by including a QRCode, so that registering an authenticator application from a smartphone is a seamless experience.
2 factor authentication via QR Code

GDPR compliant Personal Data management

As I added Lastname and Firstname to the UserEntity model, such personal data will be stored in DB. It is then important to enable the user to have this data included with its right to demand for what personal data does the application hold on him.

This is well integrated in .net core framework, so I just had to add a [PersonalData] tag on each concerned field.

[PersonalData]
public string FirstName { get; set; }

[PersonalData]
public string LastName { get; set; }

Screen of personal data management in the application