We’ve built our API on top of ServiceStack and it’s absolutely essential that we have Per Request authentication. Our authentication provider (Auth0 JWT) also has a check for requests decorated with an, “AllowAnonymous” attribute. The problem is that upon each request, if the user is authentication via an anonymous request, any subsequent requests regardless of anonymous or not, are permitted.
What’s the recommended approach to solve this issue? If we disable sessions, what is the best example of persisting data per requests to be accessed within services?
Don’t know what [AllowAnonymous] you’re referring to is, it’s not a ServiceStack feature.
ServiceStack’s Authentication is designed so that it creates an Authenticated session so it can be used on subsequent requests without re-authenticating. A User is authenticated if they have a valid session.
If you don’t the session retained after each request you could delete the session after each request in a Response Filter, e.g: