I went through the documentation and found:
mqServer.RegisterHandler<SendMailTest>(m =>
{
var req = new BasicRequest { Verb = HttpMethods.Post };
req.Headers["X-ss-id"] = m.GetBody().SessionId;
var response = ExecuteMessage(m, req);
return response;
});
I do a POST via Postman of http://localhost:5000/json/oneway/SendMailTest with an Authorization header with a bearer token.
The service is secured, hence when I do not use the Authorization header I get a correct 401.
But the SessionId is not filled in automatically. The property of the IHasSessionId interface is on the object, but do I have to fill this my self? How can I know this from f.e. a Postman session?
Is there something I am missing here?
Request DTOs with IHasSessionId property is only populated by the Service Clients and just provides another way to specify the Session Id for ServiceStack Sessions which is normally sent using ss-id/ss-pid Cookies.
JWT Requests does not send a Session Id (which is a just a reference to a server Authenticated Session), it sends an encapsulated UserSession in the JWT Token, either as a HTTP Authorization Bearer Token or via the ss-tok cookie, it can also be sent in IHasBearerToken which works similar to IHasSessionId but for BearerTokens like JWT or API Key Auth.
All these are just different options for sending Authenticated Requests, they're only filled automatically by Service Clients, but they don't need to be filled, they're just different ways of authenticating requests.
