ServiceStack token authentication

Question

First some information about my application. I have to expose data access through webservices and I've chosen ServiceStack to do that. Since I don't want to have statefull webservices I choosed to use a Jwt token to handle user authorization. Client authenticates and gets the token from a service call, then puts the toekn in the Authorization header and every requests validates it.

In my services the authorization for executing a call is not just a check if the user is logged in or not but varies from reuqest to request, for example:

1. check permission A
2. check permission A on object O1
3. check permission B on object O2

Some of these checks can be made with request filters other are enforced in the service because they depend on the data passed in the request.

My concern is about the validation of the token and the extraction of the value from the header in all the levels of the authorization in addition to the trip required to extract the user permissions from the database. So I was looking to a way to mange the token one per each request.

What I came up with is a TokenAuthorizaionManager capable of extracting and valdiating the token from the request. I register this class in container with a Request scope

container.RegisterAutoWired<TokenAuthorizationManager>().ReusedWithin(ReuseScope.Request);

Then I have a PreRequest filter that gets the token authorization manager from the container and loads the data token from the headers

PreRequestFilters.Add((req, res) =>
        {
            var tokenManager = req.TryResolve<TokenAuthorizationManager>();
            if (tokenManager != null)
                tokenManager.ExtractTokenInfo(req);
        });

At this point in any authorization/authentication step i use the same TokenAuthorizationManager to validate permissions and roles.

Is this the best way I can handle something like this or there are better alternatives to token authentication in service stack with a sessionless service ?

Additional informations:

1. I have different kind of users that needs more than just username/password to make a succesfull authentication so I don't want to use the servicestack authentication features.
2. my web client will be an angularjs application (if I manage to stick everything together)

Thanks for any light you can shed on these subjects.

Answer 1

I don't see any improvement you can made, in fact it seems to me you're properly using the pre request filter.

I've also implemented an authentication provider with ServiceStack reading the input data on a pre request filter, the same way you're doing it. Our client was also developed with Angular, we've a interceptor for http clients setting the Authorization header (we're using Restangular to be more specific).

The pre request filter allows you to grant that the service isn't reached for non authorized users. For more complex authorization schemas where you may want to authorize each service based on others permissions criteria i usually use a request attribute.

If i were you i would check the source code for authorization that ServiceStack is implementing and try to go from there.