In a .NET Core Web API with versioned endpoints (e.g., /api/v1/users and /api/v2/users), restricting access to specific API versions based on user subscription type (e.g., “mon premium” for v1, “er premium” for v2) requires:
- API Versioning
- Authorization based on user role/subscription
- Enforcing version access restrictions at the API level
How to restrict access to specific API versions based on subscription type
Step 1: Setup API Versioning in .NET Core Web API
If not already done, install and configure API versioning:
dotnet add package Microsoft.AspNetCore.Mvc.Versioning
In Startup.cs or Program.cs:
services.AddApiVersioning(options =>
{
options.AssumeDefaultVersionWhenUnspecified = true;
options.DefaultApiVersion = new ApiVersion(1, 0);
options.ReportApiVersions = true;
options.ApiVersionReader = new UrlSegmentApiVersionReader(); // version in URL
});
Step 2: Define user subscription/role claims
Your authentication system (e.g., JWT tokens) should include a claim that specifies the user's subscription type:
- For example:
"subscription": "mon"or"subscription": "er".
Step 3: Create a custom Authorization Policy to check API version and subscription
You can create a custom authorization attribute or middleware that:
- Reads the API version from the request.
- Reads the user's subscription from claims.
- Allows or denies access based on the combination.
Example:
public class ApiVersionSubscriptionRequirement : IAuthorizationRequirement
{
public string AllowedVersion { get; }
public string AllowedSubscription { get; }
public ApiVersionSubscriptionRequirement(string allowedVersion, string allowedSubscription)
{
AllowedVersion = allowedVersion;
AllowedSubscription = allowedSubscription;
}
}
public class ApiVersionSubscriptionHandler : AuthorizationHandler<ApiVersionSubscriptionRequirement>
{
protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, ApiVersionSubscriptionRequirement requirement)
{
var httpContext = (context.Resource as AuthorizationFilterContext)?.HttpContext;
if (httpContext == null)
{
context.Fail();
return Task.CompletedTask;
}
// Get requested API version from route data
var requestedVersion = httpContext.GetRequestedApiVersion()?.ToString();
// Get subscription from user claims
var subscriptionClaim = context.User.FindFirst("subscription")?.Value;
if (requestedVersion == requirement.AllowedVersion && subscriptionClaim == requirement.AllowedSubscription)
{
context.Succeed(requirement);
}
else
{
context.Fail();
}
return Task.CompletedTask;
}
}
Step 4: Register Authorization Policy and Handler
services.AddAuthorization(options =>
{
options.AddPolicy("MonPremiumV1Only", policy =>
policy.Requirements.Add(new ApiVersionSubscriptionRequirement("1.0", "mon")));
options.AddPolicy("ErPremiumV2Only", policy =>
policy.Requirements.Add(new ApiVersionSubscriptionRequirement("2.0", "er")));
});
services.AddSingleton<IAuthorizationHandler, ApiVersionSubscriptionHandler>();
Step 5: Apply Authorization Policy on Controllers/Endpoints
In your controllers, specify version and apply policy:
[ApiVersion("1.0")]
[Route("api/v{version:apiVersion}/users")]
[Authorize(Policy = "MonPremiumV1Only")]
public class UsersV1Controller : ControllerBase
{
[HttpGet]
public IActionResult GetUserInfoV1()
{
// Implementation for v1
return Ok("User Info V1");
}
}
[ApiVersion("2.0")]
[Route("api/v{version:apiVersion}/users")]
[Authorize(Policy = "ErPremiumV2Only")]
public class UsersV2Controller : ControllerBase
{
[HttpGet]
public IActionResult GetUserInfoV2()
{
// Implementation for v2
return Ok("User Info V2");
}
}
Step 6: Frontend Handling
- Frontend should call the correct API version based on the user's subscription type.
- Backend authorization policy ensures enforcement even if the frontend tries to call unauthorized versions.
Summary
- Use API Versioning to separate endpoint versions.
- Include subscription info in user claims (JWT or other token).
- Create a custom authorization policy that enforces API version access based on subscription.
- Apply the authorization policy on versioned controllers/endpoints.
- Frontend calls appropriate version per user subscription.