c # – Own architecture, CQRS and authentication?

I am working on the implementation of my first architecture and my first CQRS application. I came across a bit of logic that leaves me a little puzzled. I am working on the integration of authorization and authentication in my application, but I can not find how to architect a part of my application that will handle the order validation. My system is multi-tenant and currently shares a database on all my clients. So I need to set up a system that will allow me to perform all my checking in a simple and not too coupled way.

In my system, I have an implementation for both users and Customers. Users can belong to any number of clients. These users also have different levels of permissions that are granted to them (but this is handled by my role systems and mostly unimportant here). My WebAPI is designed to limit permissions based on a fixed number of roles and complaints. These remain largely static, so I do not need much flexibility here.

My main source of headaches is the determination of "User-Client" interaction permissions. Namely, I want to determine if a user has access to the client for which he tried to update records. One approach would be to add User ID to all my commands and to individually check the permissions during each order and request. It seems tedious and subject to problems.

Another approach I envisioned was to define an interface or base class that simply added client and user credentials to any object for which they were required, but it did not expose those implementations to my WebAPI (via swagger and UserId / ClientId as part of the Request / Command object).

A final approach would be to have my underlying commands always implement these interfaces, but my controller has minimal logic to map an API request into one of my command objects. Again, this would be tedious and would begin to spread my logic in my controllers.

Overall, it's as if I needed an extra structure in my application in which I can channel any object containing a Customer identity in order that I can keep the Authentication and Authorization the logic of my basic application. However, I am mostly perplexed and am looking for ways to simplify my application by minimizing the overhead of adding client-dependent orders and queries.

If this is of interest, here are some of the key tools and technologies I use:

  • .Net Core 2.1
  • Mediator
  • Entity framework

And my main application implements commands in the same way as:

Public class CreateProductCommand: IRequest
public int ClientId {get; set; }
public int ParentProductId {get; together; }
public string ProductName {get; together; }
// other accessories specific to creation here

Public class CreateProductCommandHandler: IHandler
public asynchronous task Handle (CreateProductCommand command)
// check the parent permissions, make sure the parent product
// belongs to the customer who entered.
// -----
// rest of logic to save

// - Ideally, the user-client verification would take place before
// - the command is always sent to the manager, so that
// - only the logic and customer-specific permissions are checked.
// - As long as the user can edit the specific client, all
// - what happens to the customer is determined by the standard business
// - and domain logic.