Further to the recent changes adding authentication and authorisation. Some consideration in your security threat model

[SimonGeering]

There is currently a bunch of discussion going on about the various approaches to adding OpenID Connect, specifically around potential risks of using implicit flow, as is common in SPA apps, a good overview of this being presented here: https://brockallen.com/2019/01/03/the-state-of-the-implicit-flow-in-oauth2/

You may find the following useful in deciding which way you want to implement OIDC in your app https://damienbod.com/2019/04/02/securing-browser-based-javascript-typescript-applications/

The following article presents one solution to this situation: https://leastprivilege.com/2019/01/18/an-alternative-way-to-secure-spas-with-asp-net-core-openid-connect-oauth-2-0-and-proxykit/

You probably also want to take advantage of .net core XSS protections https://docs.microsoft.com/en-us/aspnet/core/security/cross-site-scripting?view=aspnetcore-3.0 and XSRF/CSRF https://docs.microsoft.com/en-us/aspnet/core/security/anti-request-forgery?view=aspnetcore-3.0

Additionally, it would be worth looking at the OWASP top 10 security issues https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

A good cheat sheet for which is here: https://github.com/OWASP/CheatSheetSeries#cheat-sheets-index

[csharpfritz]

Lets get past an initial minimum viable product and then apply these security practices