Authentication & JWT

How Zomato knows it's YOU ordering pizza, not your neighbor. The #1 backend skill.

Detailed Guide

The Problem: APIs are stateless. Server has no memory. If you don't send proof of who you are on EVERY request, server says "401 Unauthorized".

1. The Zomato Login Flow = JWT in Real Life

Step 1: Login once POST /api/auth/login with username + password.

Server replies: { "token": "eyJhbGci..." } This is your JWT - like a metro card.

Step 2: Every next request GET /api/orders + Header: Authorization: Bearer eyJhbGci...

Server checks: "Is this card valid? Is it expired? Is signature mine?" If yes → 200 OK. If no → 401.

🎯 Why Not Sessions?

Sessions: Server stores "User 5 is logged in" in RAM. 1 million users = server crashes. Can't scale.

JWT: Server stores NOTHING. All info is inside the token. Any server can validate it. Scales to billions.

2. JWT Anatomy - Crack It Open

JWT = xxxxx.yyyyy.zzzzz = Header.Payload.Signature

Part	Example	Meaning
Header	`eyJhbGci...`	Algo used: HS256
Payload	`eyJzdWIi...`	Your data: `{ "sub":"5", "role":"User", "exp": 1730000000 }`
Signature	`SflKxw...`	Server's stamp. Proves token wasn't tampered.

Key Point: Anyone can read Payload. It's Base64, not encrypted. Never put passwords in JWT. Put UserId, Role, Expiry only.

3. Code It: Secure Zomato API in 5 Mins

Step 1: Install + Configure Program.cs

builder.Services.AddAuthentication("Bearer")
 .AddJwtBearer(options => {
    options.TokenValidationParameters = new TokenValidationParameters {
        ValidateIssuer = true,
        ValidateAudience = true,
        ValidateLifetime = true,
        ValidateIssuerSigningKey = true,
        ValidIssuer = builder.Configuration["Jwt:Issuer"],
        ValidAudience = builder.Configuration["Jwt:Audience"],
        IssuerSigningKey = new SymmetricSecurityKey(
            Encoding.UTF8.GetBytes(builder.Configuration["Jwt:Key"]))
    };
  });
builder.Services.AddAuthorization();
var app = builder.Build();
app.UseAuthentication(); // Who are you?
app.UseAuthorization(); // What can you do?

Step 2: appsettings.json

"Jwt": {
  "Key": "ThisIsMySuperSecretKeyForZomato12345!", // 32+ chars
  "Issuer": "ZomatoApi",
  "Audience": "ZomatoApp",
  "ExpiryMinutes": 60
}

Step 3: Login Endpoint - Generate Token

[ApiController]
[Route("api/[controller]")]
public class AuthController : ControllerBase {
  [HttpPost("login")]
  public IActionResult Login([FromBody] LoginDto dto) {
    // 1. Check DB: is username/password correct?
    if(dto.Username!= "admin" || dto.Password!= "123") return Unauthorized();

    // 2. Create claims = data inside token
    var claims = new[] {
        new Claim(ClaimTypes.NameIdentifier, "5"),
        new Claim(ClaimTypes.Role, "Admin")
    };
    // 3. Sign token
    var key = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(_config["Jwt:Key"]));
    var creds = new SigningCredentials(key, SecurityAlgorithms.HmacSha256);
    var token = new JwtSecurityToken(
        issuer: _config["Jwt:Issuer"],
        audience: _config["Jwt:Audience"],
        claims: claims,
        expires: DateTime.Now.AddMinutes(60),
        signingCredentials: creds);
    return Ok(new { token = new JwtSecurityTokenHandler().WriteToken(token) });
  }
}

Step 4: Protect Endpoints

[ApiController]
[Route("api/[controller]")]
public class OrdersController : ControllerBase {
  [HttpGet]
  [Authorize] // Must have valid JWT
  public IActionResult GetMyOrders() {
    var userId = User.FindFirst(ClaimTypes.NameIdentifier)?.Value;
    // Get orders for userId...
    return Ok();
  }

  [HttpDelete("{id}")]
  [Authorize(Roles = "Admin")] // Must be Admin
  public IActionResult DeleteOrder(int id) {...}
}

Career-Killer Mistake: Putting app.UseAuthorization() before app.UseAuthentication().
Result: API always returns 401. Because it tries to check "what can you do" before knowing "who are you".
Order matters: Authentication first, Authorization second. Always.

1. Theory: Bearer Token vs Cookie Auth

	Cookie Auth	JWT Bearer Auth
State	Stateful. Server stores session.	Stateless. Server stores nothing.
Scaling	Hard. Need sticky sessions or Redis.	Easy. Any server validates token.
Clients	Browser only. Auto-sent.	Any client: Mobile, React, Postman. Manual header.
CSRF	Vulnerable. Need anti-CSRF tokens.	Immune. Token not auto-sent by browser.
Use Case	MVC websites	APIs, Microservices, Mobile apps

Rule: MVC = Cookie. API = JWT Bearer.

2. The `[Authorize]` Pipeline

What happens when request hits [Authorize]:

Authentication Middleware: Reads Authorization header. Validates JWT signature, expiry, issuer. If valid → Creates User principal with claims.
Authorization Middleware: Checks [Authorize(Roles="Admin")]. Is User.IsInRole("Admin") true? If no → 403 Forbidden.
Controller: Runs only if both pass. Access user via User.FindFirst().

3. Refresh Tokens - The Interview Edge

Problem: JWT expires in 60 mins for security. User shouldn’t login every hour.

Solution: Issue 2 tokens on login:

Access Token: Short-lived 15-60 mins. Used for API calls.
Refresh Token: Long-lived 7 days. Stored in DB. Used to get new Access Token.

Flow: Access Token expires → Client sends Refresh Token to /api/auth/refresh → Server checks DB → Issues new Access Token. User never logs in again.

Why this is asked: Tests if you understand production security vs toy projects.

4. Claims-Based vs Role-Based Authorization

Role-Based: [Authorize(Roles = "Admin")]. Simple. Coarse-grained.

Claims-Based: [Authorize(Policy = "CanDeleteRestaurant")]. Fine-grained.

// Program.cs
builder.Services.AddAuthorization(options => {
  options.AddPolicy("CanDeleteRestaurant", policy =>
      policy.RequireClaim("permission", "restaurant.delete"));
});

// Login: add claim
new Claim("permission", "restaurant.delete")

// Controller
[Authorize(Policy = "CanDeleteRestaurant")]
public IActionResult Delete(int id) {...}

Senior move: Use Claims + Policies. Roles explode: Admin, SuperAdmin, RestaurantAdmin. Claims are flexible: restaurant.delete, order.refund.

Career-Killer Mistake #2: Storing JWT in localStorage without XSS protection.
Any JS script can steal it: localStorage.getItem('token').
Fix 1: Short expiry 15 mins. Fix 2: Use HttpOnly cookie for refresh token. Fix 3: CSP headers.
Theory: JWT in localStorage = XSS risk. JWT in HttpOnly cookie = CSRF risk but no JS access. Trade-offs.

Next: Your API is secured. Next: Filters & Middleware - How to log every request, handle errors globally, and run code before/after controllers. This is how you add cross-cutting concerns without repeating code.

Quick Check 🧠

Auth done. Next: Filters & Middleware - Learn how to log, handle errors, and add logic to every request without touching controllers. This is the glue of professional APIs. Continue →

← Model Binding

Filters & Middleware →

Comments on Authentication & JWT (0)

No comments yet. Be the first to share your thoughts!

C# Tutorial

C# Tutorial

Authentication & JWT

1. The Zomato Login Flow = JWT in Real Life

🎯 Why Not Sessions?

2. JWT Anatomy - Crack It Open

3. Code It: Secure Zomato API in 5 Mins

Step 1: Install + Configure Program.cs

Step 2: appsettings.json

Step 3: Login Endpoint - Generate Token

Step 4: Protect Endpoints

1. Theory: Bearer Token vs Cookie Auth

2. The `[Authorize]` Pipeline

3. Refresh Tokens - The Interview Edge

4. Claims-Based vs Role-Based Authorization

Quick Check 🧠

Comments on Authentication & JWT (0)

C# Tutorial

C# Tutorial

Authentication & JWT

1. The Zomato Login Flow = JWT in Real Life

🎯 Why Not Sessions?

2. JWT Anatomy - Crack It Open

3. Code It: Secure Zomato API in 5 Mins

Step 1: Install + Configure Program.cs

Step 2: appsettings.json

Step 3: Login Endpoint - Generate Token

Step 4: Protect Endpoints

1. Theory: Bearer Token vs Cookie Auth

2. The [Authorize] Pipeline

3. Refresh Tokens - The Interview Edge

4. Claims-Based vs Role-Based Authorization

Quick Check 🧠

Comments on Authentication & JWT (0)

2. The `[Authorize]` Pipeline