I’ve read a lot of posts on here and in other places but I can’t quite figure out what I should be doing to secure my API properly.
I’ve developed an anonymous questionnaire angularjs 1.* app that calls an asp.net core 2.0 web api. Users never authenticate and may, should they wish to, add their email address at the end of the process.
FYI, it’s a CQRS backend and is hosted on an Azure VM.
I initially thought I would be able to use a service like Auth0 to create a token for a temporary user that contained both a unique ID for the person completing the questionnaire (like a sessionId) and the unique ID for the questionnaire being created (these are generated at the beginning of the process). However, I’m not sure this is right and I can’t figure out how to do that and also verify it on the server (would I write a custom authorisation handler or similar)!
Any advice would be greatly appreciated.