ServiceStack - Access to the request DTO when using the built-in auth feature?

Question

I'm implementing a web service using ServiceStack and have hit a snag with authorization.

Our auth system provides a "per-organization" list of permissions that a user has, with every request DTO then having a mandatory "OrganizationId" property to which the request pertains. That request can only be fulfilled if the user has the corresponding permission for that specific organization.

The authorization callbacks in ServiceStack (IsAuthorized, HasRole, HasPermission, etc) do not seem to allow for access to the request DTO, which means I cannot pull out the OrganizationId for the auth check. The service is running standalone so I cannot access the request DTO through HttpContext, HostContext et al.

I can implement my own auth layer using a global request filter, but would obviously prefer to re-use what is already there if at all possible. Is there any way in which I can reliably and safely access the request DTO without having to re-invent the wheel on features that ServiceStack already provides?

The other approach I have looked at is implementing a global request filter in order to add the request DTO to the "Items" property of the request context, which I could then access from the auth callback routines. It's not the most elegant approach and feels a little dirty, but if it gets the job done I'll grit my teeth and implement it. I'm hoping there is a better way.

Answer 1

You can get the current Request DTO from the IRequest.Dto property but this isn't injected in the UserSession HasRole()/HasPermission() APIs.

The Users Session should setup the necessary information required for that User so ideally the Organization Id would be added as a Custom UserSession property. But if you have additional requirements that require inspecting each Request DTO than you would need to add your own Custom Logic either in a Global Request Filter or Filter Attribute .