Challenge: Restricting Write Requests

Overview

In this challenge, you will need to apply security to web API endpoints and correctly pass a bearer token to it.

Requirements

In the playground below, you have a web API application represented by the SecondaryApiApp project that stores information about students. External applications are also allowed to add new students via a POST request. All endpoints related to the student data can be found in the StudentsController.cs file.

The client MVC application, which is represented by the DemoApp project, displays the student information on its home page. It also has the "Add New Student" tab that allows us to add a new student.

Currently, anyone can interact with the API. However, this is a major violation of security best practices. You must make appropriate changes to ensure that only registered users can add new student records. The ability to view the student information can remain accessible to anyone.

There is also another problem you must solve. The authentication configuration in the web API app has an incorrect setting applied, which prevents it from being able to validate the bearer tokens. You need to identify this setting and fix it.

In summary, you must perform the following:

• Ensure that only the registered users can add a new student record.

  • This applies to both the MVC UI and the web API backend.

• Ensure that the MVC client application correctly passes the bearer token to the secure endpoint.

• Ensure that the authentication settings in the web API application are correct.