We are adding Net Core 2.1 Identity (aka Identity 4) to improve security of the Aurelia Single Page Application. This utilises the NuGet package Microsoft.AspNetCore.Identity.UI which installs a number of Razor pages in a library which implement secure login functionality and more (eg 2 factor authentication) for a range of internal/external login providers (eg Facebook, Google, Microsoft Account). It is possible to customise the login experience by scaffolding and modifying by override these pages.
Roles are often replaced by Claims (name and value pairs) which fit well into EF Core Framework and the AspNetUsers table easily extended to facilitate automatic generation of suitable claims dependent on user information when invoking the Register (new user) page. A simple AspNetUser claims table snippet appears below. These are associated with a logged in user and passed from back end code to front end using a service call to the http fetch client. It is necessary to ensure that the user can only see routes and methods which are authorized. A Demo user will not be able to see as much as an administrator or call upon as much functionality.
On the MVC/Razor side, just add an [Authorize] attribute to home page kick off authentication/authorization. Of course, the Register (new user) page and some others need to restrict access to a user with an Administrator Claim since the MVC router allows access to all the Identity pages and Aurelia router allows access to the SPA (pinned to Home page).
On the front end, the app.ts method is used to generate dynamic routes and unauthorized routes prevented from being added to ensure security is enforced both client and server. Some code is shown below.
Coding is fairly straightforward so not a lot to test that can go wrong.
Security is fun! Have a great day