For the final project you will be adding authentication to the project done in assignment 4. This basically consists of adding a login component in the Angular project, and a login endpoint in the API project. Then, you will secure the order endpoints so that only authenticated users can access them. You will add authorization by having two groups of users (user, admin). Regular users will have access to the following endpoints: GetOrders and GetOrder. Admin users will have access to all endpoints.
Add security to the API
1- Add a new Account controller with a login endpoint that will accept username and password.
2- Add a new service class with one method that will verify the username and password and then return a new token. The token should at least have the following claims: expiration, issued at, username, and role.
3- Secure the Order endpoints
a. Secure the GetOrders and GetOrder endpoints
b. Secure the UpdateTrackingNumber endpoint only allow admins to access it
4- Add the required code to the Startup class so that it authenticates incoming requests by checking JWT.
Add security to the Angular app
1- Add a login component
a. Add the login form
b. Make the login button make a request to the API and get the new token
c. Store the token in local storage
2- Add the HTTP interceptor to send the token if available in the header of every HTTP request
3- Add a check in the routes so that if the user is not logged in the app redirects to the login page
4- Once the user is logged in the user is redirected to the orders page
5- In the order detail page if the user is not an admin then hide the update tracking number form.
Find and incorporate a free bootstrap template for the angular site.
PS: if you have not completed assignment 4 you can create a new project with dummy endpoints that are similar to those in assignment 4.
Bonus – Refresh Tokens
In the Angular app modify the interceptor so that if the token is expired a new access token is retrieved using the refresh token Id
In the backend add a RefreshToken endpoint to the Account controller so that when the access token expires the user can get a new access token without having to login