Week 10 Part IV · Domain Logic and Security

Security, Validation, and Robust API Design

Instructor lesson plan: lecture (2 h) and practice (2 h).

Learning objectives

Implement authentication and authorization in ASP.NET Core.
Apply roles, claims, and policies to use cases.
Design validation and error response contracts that clients can rely on.

Tools this week

JWTauthorization policiesFluentValidationProblemDetails

🎓Lecture · 2 hours

0:00-0:20	20 min	Threats in ordinary APIsOver-posting, broken authorization, leaky errors, invalid state transitions.
0:20-0:45	25 min	Authentication and JWTIdentity, tokens, validation, expiration, and where trust is established.
0:45-1:10	25 min	Authorization policiesRoles, claims, requirements, handlers, and use-case-level checks.
1:10-1:20	10 min	Break
1:20-1:45	25 min	Validation and error contractsInput validation, domain validation, problem details, and consistent failures.
1:45-2:00	15 min	Security review checklistWhat every team must show by final presentation.

Common misconception to confront.

Students often think: authentication means the endpoint is secure.
Set it straight: authentication says who the caller is. Authorization decides what that caller may do.

Check for understanding

Where should ownership checks happen?

At the use-case or authorization-policy boundary, close to the business operation being protected.

Why avoid raw exception responses?

They leak implementation details and produce unstable contracts for clients.

Key takeaways.

Security is use-case specific.
Validation has layers.
Error responses are part of the API contract.

📚Reading & resources

ASP.NET Core authentication Official authentication concepts and handlers.
ASP.NET Core authorization Roles, claims, policies, and requirements.

💻Practice · 2 hours

0:00-0:25	25 min	Add authenticationConfigure token validation for the project API.
0:25-0:55	30 min	Protect use casesAdd policies and executable authorization examples for at least two protected operations.
0:55-1:10	15 min	Error shapeReturn consistent validation and domain error responses.
1:10-1:20	10 min	Break
1:20-1:50	30 min	Security reviewTeams review each other's endpoints for missing authorization.
1:50-2:00	10 min	Project-integration briefDocument protected endpoints and validation strategy.

Project integration (this week)

Add authentication and authorization to selected endpoints.
Add validation and global error handling.
Document security and validation evidence.