StellarAdmin is still in development. We'd love for you to try it out and get your feedback, but please be advised that your may run into bugs. Changes to public APIs may also occur.

Introduction

StellarAdmin does not have any specific authorization extension points, but, since it is built with ASP.NET Core Razor Pages and Controllers, you can make use of ASP.NET Core's built-in authorization features to prevent unauthorized access to StellarAdmin.

Preventing access to StellarAdmin

Preventing unauthorized access to StellarAdmin consists of two parts. First, you need to prevent access to the Admin User Interface (UI). The Admin UI is a Vue application that is served by a single Razor Page to which access can be restricted by making use or Razor Pages authorization conventions.

Secondly, you need to prevent access to the API controllers. The Admin UI communicates with the StellarAdmin backend via a set of API controllers. Access to these controllers can be restricted by creating a custom Authorization Filter.

Preventing access to the Admin UI

The name of the Razor Page that is serving the Admin UI is /StellarAdmin. You can require authorization to view this page by adding the AuthorizePage() convention.

public void ConfigureServices(IServiceCollection services)
{
    // ...

    services.AddRazorPages(o =>
    {
        o.Conventions.AuthorizePage("/StellarAdmin");
    });
    services.AddStellarAdmin();
}

The example above only requires that a user is authenticated, but you may have more specific requirements. You may, for example, require that a user is an administrator. The AuthorizePage() convention takes an optional policy parameter, allowing you to specify an authorization policy that determines whether the user has permission to view the page.

Let's assume that you determine whether a user is an administrator based on whether they are assigned to the Administrator role. In this case, you can create an IsAdministrator policy and pass that as the policy parameter when calling AuthorizePage().

public void ConfigureServices(IServiceCollection services)
{
    // ...

    services.AddAuthorization(o =>
    {
        o.AddPolicy("IsAdministrator", builder => builder.RequireRole("Administrator"));
    });
    services.AddRazorPages(o =>
    {
        o.Conventions.AuthorizePage("/StellarAdmin", "IsAdministrator");
    });
    services.AddStellarAdmin();
}

Preventing access to the API

The StellarAdmin API consists of several ASP.NET Core API Controllers served from the /StellarApi base route. To prevent access to these controllers, you can implement a custom Authorization Filter that ensures only administrators can access these API endpoints.

Add the following StellarApiAuthorizationFilter class to your application:

using System.Linq;
using System.Threading.Tasks;
using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Authorization.Policy;
using Microsoft.AspNetCore.Http;
using Microsoft.AspNetCore.Mvc;
using Microsoft.AspNetCore.Mvc.Filters;
using Microsoft.Extensions.DependencyInjection;

namespace MyApplication
{
    public class StellarApiAuthorizationFilter : IAsyncAuthorizationFilter
    {
        public async Task OnAuthorizationAsync(AuthorizationFilterContext context)
        {
            if (context.HttpContext.Request.Path.StartsWithSegments(new PathString("/stellarapi")))
            {
                var policyProvider = context.HttpContext.RequestServices.GetRequiredService<IAuthorizationPolicyProvider >();
                var policy = await policyProvider.GetPolicyAsync("IsAdministrator");
                if (policy != null)
                {
                    var policyEvaluator = context.HttpContext.RequestServices.GetRequiredService<IPolicyEvaluator>();
                    var authenticateResult = await policyEvaluator.AuthenticateAsync(policy, context.HttpContext);

                    var authorizeResult = await policyEvaluator.AuthorizeAsync(
                        policy, authenticateResult, context.HttpContext, context);

                    if (authorizeResult.Challenged)
                    {
                        context.Result = new ChallengeResult(policy.AuthenticationSchemes.ToArray());
                    }
                    else if (authorizeResult.Forbidden)
                    {
                        context.Result = new ForbidResult(policy.AuthenticationSchemes.ToArray());
                    }
                }
            }
        }
    }
}

Then add this filter when calling AddControllers in your startup class. The ConfigureServices method of your application should look similar to the following:

public void ConfigureServices(IServiceCollection services)
{
    // ...

    // Define IsAdministrator policy that checks whether the user is in the Administrator role
    services.AddAuthorization(o =>
    {
        o.AddPolicy("IsAdministrator", builder => builder.RequireRole("Administrator"));
    });

    // Add the StellarApiAuthorizationFilter which ensures only Administrators can access
    // the StellarAdmin API endpoints
    services.AddControllers(o =>
    {
        o.Filters.Add(new StellarApiAuthorizationFilter());
    });

    // Ensure only Administrators can access the Razor Page serving the StellarAdmin UI
    services.AddRazorPages(o =>
    {
        o.Conventions.AuthorizePage("/StellarAdmin", "IsAdministrator");
    });

    // Add all the StellarAdmin services
    services.AddStellarAdmin();
}

You can find a complete example at https://github.com/stellar-admin/samples/tree/master/Authorization.