Class RequirePlatformAdminAttribute

Namespace

KadicAuth.Api.Authorization

Assembly

KadicAuth.Api.dll

Gate that ONLY lets active platform admins past. Applied at the action or controller level. Defensive design:

1. The JWT claim platform_admin is a fast hint — it must be present AND equal to "true". Any other value (missing, "false", tampered) fails the gate immediately.
2. The claim is then re-verified against the database through IPlatformAdminService. This shrinks the revocation window from "JWT lifetime" to "PlatformAdminService cache TTL" (~30 seconds).
3. On failure we return 404 NotFound instead of 403 Forbidden. The entire PlatformAdmins controller is also hidden from Swagger, so unauthorized callers should never learn the endpoint even exists.

Never weaken (2). The claim alone is not sufficient evidence — if it were, a stolen JWT would retain platform-admin powers for the full token lifetime.

[AttributeUsage(AttributeTargets.Class|AttributeTargets.Method, AllowMultiple = false, Inherited = true)]
public sealed class RequirePlatformAdminAttribute : Attribute

Inheritance

object

Attribute

RequirePlatformAdminAttribute

Methods

OnAuthorizationAsync(AuthorizationFilterContext)

Called early in the filter pipeline to confirm request is authorized.

public Task OnAuthorizationAsync(AuthorizationFilterContext context)

Parameters

context AuthorizationFilterContext

The Microsoft.AspNetCore.Mvc.Filters.AuthorizationFilterContext.

Returns

Task

A System.Threading.Tasks.Task that on completion indicates the filter has executed.