[RESOLVED] Multi-Tenant Authorization Response
I am building a multi-tenant web application and I currently have my login endpoint setup like this:
The way it works is that I have an AccountUser which stores the username/password information and then the TenantUser which stores the AccountUser/Tenant relationship mapping.Code:[HttpPost("Login")] public async Task<IActionResult> Login([FromBody] LoginRequest request) { if (string.IsNullOrWhiteSpace(request.Username) || string.IsNullOrWhiteSpace(request.Password)) { return BadRequest("Username and password are required."); } var result = await _authService.LoginAsync(request.Username, request.Password); if (result == null) { return Unauthorized("Username and/or password is incorrect."); } var accountUser = result.Value.accountUser; var tenantUser = result.Value.tenantUser; if (!accountUser.IsSystemUser && tenantUser == null) { return Unauthorized("User is not authorized to view this tenant."); } return Ok(new { user = accountUser, tenant = tenantUser }); }
With my code above, its possible that the user successfully logs in, but doesn't have a TenantUser for the current tenant (which is determined via middleware by the subdomain of the request). This is where my last if/then statement lives:
What I'd like to do is send something back to the client making the request that "hey, you're username and password is correct, you just don't have access to this tenant, let me redirect you to the tenant selection page".Code:if (!accountUser.IsSystemUser && result.Value.tenantUser == null) { return Unauthorized("User is not authorized to view this tenant."); }
I don't think that Unauthorized is the correct response here because I'm using it to say "hey, you either don't have an account or that password's wrong buddy". But at the same time I don't think a redirect response is appropriate because I have a clear separation between my API project and my UI project.
What would be the appropriate approach here?
Reply With Quote