Best Practices for User Management REST Endpoints

I’m using the default UserAuth and UserAuthDetails as well as the out-of-the-box /register plugin. We’re storing users using OrmLiteAuthRepository.

I was wondering what the best practice is for creating a series of REST endpoints for user management. Specifically, users with the ADMIN role should be able to CRUD users and assign roles.

Do I go about creating custom DTOs and Services for this application, or are there any tools for auto-wiring this functionality.

Many thanks!

-Z

There is no plugin for ServiceStack which automatically creates REST endpoints for admin operations. So you have to implement admin services similar as other services. But there are some related plugins which might be interesting for you when you start to implement your admin zone.

WebSudo - reauthenticate users when accessing services require super-user privileges
AutoQuery UI - allows you to autowire requests to your data and see results

That’s good to know.

From an architecture perspective, is it acceptable to return the underlying IUserAuth and IUserAuthDetails in the DTO.

public class ListUsersResponse
{
    public class ProductUser
    {
        public IUserAuth User { get; set; }
        public IUserAuthDetails Details { get; set; }
    }

    public List<ProductUser> Users {get;set;}
}

Or is it better to explicitly extract the the properties which I want to return?

Many thanks,

-Z

As a rule you should avoid returning interfaces in DTOs in general, also for Users I’d recommend only returning the info clients need to avoid leaking sensitive info such as hashed passwords. Only return the info they need.

That was my impression, but thank you for confirming this.

For a start I’ve implemented a basic list service like this:

[Route("/api/users")]
public class ListUsersRequest : IReturn<ListUsersResponse>
{
}

public class ListUsersResponse
{
    public class User
    {
        public String Email { get; set; }
        public List<String> Roles { get; set; }            
        public DateTime CreatedDate { get; set; }
        public DateTime? LastLoginAttempt { get; set; }
    }

    public List<User> Users { get;set;}
    public ListUsersResponse()
    {
        Users = new List<User>();
    }
}
public class UserManagerService: Service
{
    [Authenticate]
    [RequiredRole("Admin")]
    public object Get(ListUsersRequest request)
    {
        ListUsersResponse response = new ListUsersResponse();
        using (OrmLiteConnection db = (OrmLiteConnection)this.TryResolve<IDbConnectionFactory>().OpenDbConnection())
        {
            foreach(UserAuth user in db.Select<UserAuth>())
            {
                response.Users.Add(user.ConvertTo<ListUsersResponse.User>());
            }
        }
        return response;
    }

}

Is this a reasonable solution for listing users?

Specifically, I want to make sure I’m connecting to the Database correctly and that ConvertTo is the best way to way to fill the DTO.

Again, many thanks for your attention and for your answers to my (admittedly basic) questions.

Thanks!

-Z