A secure ASP.NET Core Web API for managing books and users, with full authentication, role-based authorization, and audit logging.
This API allows users to register, log in, and perform CRUD operations on books. It supports multiple roles (Reader, Author, Admin) with role-based access controls. All data changes are logged for auditing purposes.
- User Management: Registration and login with JWT authentication
- Role-Based Authorization:
Reader,Author,Adminroles - Book Management: Create, read, update, delete books with validation
- Audit Logging: Tracks all data modifications with user, timestamp, and changed columns
- JWT Authentication: Secure token generation and validation
- Swagger/OpenAPI: Interactive API documentation
- .NET 9 / ASP.NET Core
- Entity Framework Core
- SQL Server
- JWT (JSON Web Tokens)
- HMACSHA512 for password hashing
- Swagger / Scalar UI for API docs
The project follows a layered architecture:
- Domain Layer: Entities, DTOs, interfaces, and utilities (
User,Book,AuditLog,RoleEnums) - Application Layer: Helpers, extensions, and middlewares (
Jwt,AuditEntry,EnumExtension,ExceptionMiddleware) - Infrastructure Layer: Repositories, database context, migrations, filters, and unit of work (
AppDbContext,DbInitializer,AuthRepo,BookRepo,AuditRepo) - Presentation Layer: API controllers inheriting from
BaseControllerwith reusable authentication helpers
- Clone the repository:
git clone https://github.com/m-azra3l/LibraryApplication.git
- Configure database connection:
Rename.env.sample.envto.envand provide the required information inside the Presentation folder. - Create and apply migrations:
dotnet-ef migrations add InitialCreate --project Infrastructure --startup-project Presentation dotnet-ef database update --project Infrastructure --startup-project Presentation
- Run the project:
cd Presentation dotnet run
- JWT tokens are generated on registration and login.
- Roles are defined in
RoleEnums:Reader,Author,Admin. - Authorization is enforced via
[Authorize]and a custom[Auth]filter. BaseControllerprovides helper methods for accessing user claims:GetUserId()GetName()GetEmail()GetRole()CheckTokenExpires()
Every database change is tracked in the AuditLogs table:
- User performing the action
- Table and record affected
- Action type (Added, Modified, Deleted)
- Changed columns, old and new values
- Timestamp
Audit logging is handled automatically in AppDbContext.SaveChangesAsync.
DbInitializer seeds the database with:
- Users: Test Reader, Test Author, Test Admin
- Books: Sample books authored by Test Author
- Passwords hashed using HMACSHA512
You can access endpoints via Swagger at /documentations/index.html or Scalar UI at /docs.
POST /api/auth/register→ Register a new userPOST /api/auth/login→ Login user
GET /api/books→ Get paginated booksGET /api/books/{id}→ Get book by IDPOST /api/books→ Create book (Author only)PUT /api/books/{id}→ Update book (Author only)DELETE /api/books/{id}→ Delete book (Author/Admin)
GET /api/audits→ Get paginated audit logsGET /api/audits/{id}→ Get specific audit logDELETE /api/audits/{id}→ Delete audit log
The solution includes comprehensive test coverage:
- AuthRepoTests → Validates registration, login, JWT generation, and password hashing.
- AuthControllerTests → Ensures correct HTTP responses for login/register endpoints.
- BookRepoTests → Covers CRUD operations, search, pagination, and role-based restrictions.
- BookControllerTests → Validates controller responses for book operations.
- AuditRepoTests → Confirms audit logging is triggered correctly.
Tests use:
- xUnit as the test framework
- Moq for mocking dependencies
- EF Core InMemory for repository tests
From the solution root:
dotnet testRun tests by navigating to the TestProject:
cd TestProject
dotnet test Run only a specific test class or method:
dotnet test --filter FullyQualifiedName~BookRepoTests
dotnet test --filter FullyQualifiedName~BookRepoTests.UpdateBook_ShouldReturn200_WhenAuthorUpdatesOwnBookRun tests continuously while coding:
dotnet watch testThis project is licensed under the MIT License. See LICENSE for details.