Nexus HTTP API
A REST API for all Nexus features are included, and it's what the admin UI uses. The API is not enabled by default but all you need to do to enable it is:
builder.Services.AddNexus().AddApi(options =>
{
// The default options are:
options.BasePath = "/";
options.EnvironmentName = null;
options.RegisterHealthChecksAsAspNetCoreHealthChecks = true;
options.AdminUI.Path = "admin";
options.AdminUI.InfoNotice = null;
options.AllowAnonymousApiAccess = true;
});
When BasePath is / it means that the API is accessible on https://servername/api and if you set it to /mybasepath/ the API is accessible on https://servername/mybasepath/api.
When BasePath is / it also means that the admin UI is accessible on https://servername/admin and if you set the base path it to /mybasepath/ the admin UI is on https://servername/mybasepath/admin.
Authentication
One of the options above is if the system should allow anonymous API access or not. If you configure the API not to allow it the system does not do any authorization though and leaves it up to you to authorize the user through eg a cookie (see more about authorization below). The system will check if HttpContext.User.Identity.IsAuthenticated and otherwise respond with HTTP status 401 on any API requests.
If you wish to add login to the Admin UI you should setup a middleware on the admin route which checks if the user is signed in or not and redirect to/display a login page. Something like this:
// Program.cs
builder.Services.AddNexus().AddApi(options =>
{
options.AllowAnonymousApiAccess = false;
});
var app = builder.Build();
app.Use(async (context, next) =>
{
if (context.Request.Path.Value?.StartsWith("/admin") == true && context.User.Identity?.IsAuthenticated == false)
{
context.Response.Redirect("/login");
await context.Response.CompleteAsync();
}
else
{
await next();
}
});
app.UseNexusAdminUI();
If you then implement the /login route to show a login form that redirects back to /admin when the user has logged in your Nexus admin UI and API is fully protected.
Authorization
Nexus offers a very granular level of auhtorization on endpoints that perform update/create/delete actions. When initializing the Nexus API you can pass an async lamda to authorize an HTTP request like this:
// Program.cs
builder.Services.AddNexus().AddApi(options =>
{
options.IsReadOnly = async (httpContext, nexusEndpoint) =>
{
if (nexusEndpoint == NexusEndpoint.DeleteAllQueueItems)
{
var user = await httpContext.RequestServices.GetRequiredService<IUserService>().GetCurrentUserAsync();
// Only allow admins to nuke all queue items
return !user.IsAdmin;
}
return false;
};
});
The NexusEndpoint class contains all endpoints that the Nexus API contains which mutates anything. If you want to build a dynamic registry of which users are allowed to use which endpoints you can use the NexusEndpoint.AllNexusEndpoints list to base it on. The list is generated and the static name of an endpoint is the same as the static name. That is, this will always be true:
nameof(NexusEndpoint.Xyz) == NexusEndpoint.Xyz.Name
The implementation here is of course made up and your implementation would look differently. Any update/create/delete request sent to the API where the IsReadOnly lambda returns true will fail with a 403 status.
Note that the admin UI will still display all editing controls but will fail with an error message if a user tries to do something unauthorized.
Endpoints
Besides the NexusEndpoint class for mutative endpoints you can see a full list of the API endpoints for the Nexus API in the Swagger UI.
There's a demo environment that's deployed to a free tier Azure Web App here:
https://commerce-mind-nexus.azurewebsites.net/swagger/index.html
You can send requests to any endpoint you'd like to get a feel for what the system does. Since it's a free tier Azure Web App the scheduler is paused when nobody is using the API or admin UI which means that the jobs won't run exactly according to schedule.