Per Request Authentication

We’ve built our API on top of ServiceStack and it’s absolutely essential that we have Per Request authentication. Our authentication provider (Auth0 JWT) also has a check for requests decorated with an, “AllowAnonymous” attribute. The problem is that upon each request, if the user is authentication via an anonymous request, any subsequent requests regardless of anonymous or not, are permitted.

What’s the recommended approach to solve this issue? If we disable sessions, what is the best example of persisting data per requests to be accessed within services?

Don’t know what [AllowAnonymous] you’re referring to is, it’s not a ServiceStack feature.

ServiceStack’s Authentication is designed so that it creates an Authenticated session so it can be used on subsequent requests without re-authenticating. A User is authenticated if they have a valid session.

If you don’t the session retained after each request you could delete the session after each request in a Response Filter, e.g:

GlobalResponseFilters.Add((req, res, dto) => {
    req.RemoveSession();
});

Also you can disable Session Cookies being added to Responses with:

SetConfig(new HostConfig {
    AllowSessionCookies = false
});

This way the Session Cookies are not returned so they can’t use them on subsequent requests, though not sure if this affects the Auto0 JWT provider you’re using at all.

Otherwise If this isn’t suitable then the alternative is to not to use ServiceStack Authentication, just validate the Request each time using a Request Filter.