Zoli
I’m looking for feedback on the security setup, which uses .NET MAUI, ASP.NET Core, and MongoDB.
Overview of the Architecture
1. API Authentication:
To authenticate API calls from the MAUI client, I use an API key that is securely stored in Azure Key Vault and accessed by the API as needed.
2. Database Connection:
The connection string for MongoDB is also stored in Azure Key Vault, allowing the API to retrieve it securely, so no sensitive information is stored within the API itself.
3. User Registration and Authentication:
When a new user registers through the MAUI app, a document is created in MongoDB’s user collection, with the password stored as a secure hash.
On login, the API generates a JWT token, saves it in MongoDB, and sends it to the MAUI client, where it’s stored using Secure Storage. Any previously saved token is replaced with the new one in both the database and on the client.
4. Data Ownership and Access Control:
After logging in, users can create and save data, which the API stores with an owner ID field set to the user’s ID.
When data is retrieved, the owner ID is passed to the API to filter results, so users can only access records that match their own ID.
5. Sensitive Data Management:
No sensitive information, such as connection strings, API keys, or password-hashing keys, is stored directly in the API; all are injected securely from Azure Key Vault.
On the MAUI client, the API key is stored in appsettings.
Questions
1. Storing the API Key on MAUI:
Is appsettings on the client side an appropriate place for storing the API key, or is there a more secure alternative?
2. Overall Security:
Do you have any suggestions to enhance the security of this architecture?
Thanks in advance for your input!
116 replies
How to get documents for specific user by Cloud Firestore?
I am developing a .NET MAUI application where users can register and sign in. After logging in, they can perform CRUD operations on documents. Each document saved to Cloud Firestore includes a user_id or owner_id property to indicate the owner.
What is the best way to filter documents so that I only retrieve those associated with a specific user?
Currently, I am using:
CollectionReference documentsRef = db.Collection("documents");
and then querying for documents where UserId equals the currentUserId.
Is this the correct approach, or does this method initially retrieve all documents from the collection (for all users) before filtering by UserId?3 replies