Production-ready ASP.NET Core 9.0 Web API with JWT authentication, refresh tokens, RBAC, and Clean Architecture.
I built this Project Management API as a comprehensive portfolio piece to demonstrate production-ready .NET development skills.
This project showcases modern enterprise patterns and best practices that go beyond typical tutorial projects:
Key Highlights:
- Clean Architecture with proper layer separation
- JWT Authentication with refresh token rotation
- Role-Based Access Control (3 role hierarchy)
- Comprehensive Testing with 72 unit tests
- Professional Documentation (8 docs)
- Security Best Practices (token rotation, password hashing, XSS protection)
What makes this different:
- Not a simple CRUD app - implements real-world security patterns
- Complete documentation showing understanding beyond code
- Test-driven approach with high coverage
- Enterprise architecture suitable for scaling
Target Audience: Development teams needing a secure, scalable task management backend.
- JWT + Refresh Tokens (15min access / 7-day refresh)
- Token Rotation (automatic on refresh - prevents replay attacks)
- HTTP-only Cookies (XSS protection)
- PBKDF2 Password Hashing (via ASP.NET Identity)
- IP Address Tracking (audit trail)
- Role-Based Authorization (3 levels: User, Manager, Admin)
- 4-Layer Separation (Domain ? Application ? Infrastructure ? API)
- Dependency Inversion (Domain has zero dependencies)
- Interface Segregation (IAuthService, IProjectService, etc.)
- Repository Pattern (via EF Core DbContext)
- DTOs (no entity exposure to API)
- Structured Logging (Serilog with file + console outputs)
- Global Exception Handling (custom middleware)
- Pagination & Search (all list endpoints)
- Input Validation (data annotations on all DTOs)
- Swagger/OpenAPI (interactive documentation)
- 72 Unit Tests (FluentAssertions + in-memory DB)
Core Framework:
- .NET 9.0
- C# 13.0
- ASP.NET Core 9.0
Data & Persistence:
- Entity Framework Core 9.0
- SQL Server (LocalDB for development)
Security:
- JWT Bearer Authentication
- ASP.NET Core Identity (PasswordHasher)
- Microsoft.IdentityModel.Tokens
Logging & Monitoring:
- Serilog 8.0
- Serilog.Sinks.Console
- Serilog.Sinks.File
Testing:
- xUnit 2.9
- FluentAssertions
- In-Memory Database
Documentation:
- Swagger/OpenAPI
- 8 Markdown documentation files
- .NET 9 SDK
- SQL Server LocalDB (included with Visual Studio)
- Git
# 1. Clone the repository
git clone https://github.com/robbevanhalst-dev/dotnet-project-management-platform.git
cd dotnet-project-management-platform
# 2. Set up secrets (see Configuration Guide)
copy src/ProjectManagement.Api/ProjectManagement.Api/appsettings.Example.json src/ProjectManagement.Api/ProjectManagement.Api/appsettings.Development.json
# 3. Restore & run
dotnet restore
dotnet ef database update --project src/ProjectManagement.Infrastructure --startup-project src/ProjectManagement.Api/ProjectManagement.Api
dotnet run --project src/ProjectManagement.Api/ProjectManagement.ApiAccess the API:
- Swagger UI: https://localhost:5001/swagger
- API Base: https://localhost:5001/api
For detailed setup instructions, see Getting Started Guide
Authentication: Register ? Authenticate ? Get JWT ? Use with Bearer token
Core Endpoints:
/api/auth/*- Authentication & authorization/api/projects/*- Project management (CRUD + members)/api/tasks/*- Task management (CRUD + assignment)/api/users/*- User management (profile + admin)
Authorization Levels:
- User - View own data, update assigned tasks
- Manager - Create projects/tasks, manage teams
- Admin - Full system access
For complete endpoint documentation, see API Reference
Clean Architecture (4-layer separation):
API ? Application ? Domain
? ?
Infrastructure ?
Key Principles:
- Domain has zero dependencies
- Application defines interfaces, Infrastructure implements
- Dependency Inversion via DI
For detailed architecture documentation, see Architecture Guide
JWT Authentication with Refresh Token Rotation
Flow: Register ? Login ? Access Token (15min) + Refresh Token (7 days) ? Auto-rotation
Key Features:
- Token Rotation (anti-replay)
- HTTP-Only Cookies (XSS protection)
- PBKDF2 Password Hashing
- IP Tracking & Audit Trail
- 3-Tier RBAC (User/Manager/Admin)
For complete security documentation, see Security Guide
72 Unit Tests with 100% pass rate
AuthService (22) • ProjectService (18) • TaskService (20) • UserService (12)
dotnet test # 72/72 passing in ~6 secondsFor detailed testing guide, see Testing Documentation
Building this project was an intensive learning experience that took me beyond tutorials into production-ready development:
- JWT Security Pattern - Implementing refresh token rotation was challenging but taught me how to prevent replay attacks
- Clean Architecture - Understanding the "why" behind layer separation, not just the "how"
- EF Core Migrations - Managing database schema evolution and relationships
- Unit Testing - Writing testable code by designing with interfaces first
- Async/Await - Proper async patterns throughout the entire stack
- Refresh Token Implementation - Initially struggled with token rotation logic, learned about security best practices
- Role-Based Authorization - Understanding the difference between authentication and authorization
- Global Exception Handling - Creating consistent error responses across the API
- Test Isolation - Learning to use in-memory databases and proper test cleanup
- Start with integration tests from day 1 (not just unit tests)
- Implement resource-based authorization (users can only edit their own projects)
- Add soft delete pattern (audit trail for deleted data)
- Use MediatR for CQRS pattern (better separation of commands/queries)
- Deploy to Azure with CI/CD pipeline
- Add Docker containerization
- Implement code coverage reporting
- Add API versioning
- Create Postman collection for testing
Complete documentation suite (8 documents):
| Document | Description |
|---|---|
| Documentation Overview | Complete documentation index |
| Getting Started | Installation & quick start guide |
| API Reference | Complete endpoint documentation |
| Security Guide | Authentication & authorization (includes RBAC) |
| Architecture | Clean Architecture deep dive |
| Database | Schema design & migrations |
| Configuration | Settings & environment setup |
| Testing | Unit tests & testing strategy |
| Troubleshooting | Common issues & solutions |
This project is ideal for:
- Portfolio Showcase - Demonstrates production-ready .NET skills
- Job Interviews - Complete talking points on architecture, security, testing
- Learning Reference - Study real-world implementation of Clean Architecture
- Starter Template - Foundation for building SaaS applications
What it demonstrates:
- Enterprise-grade API design patterns
- Security-first development approach
- Test-driven development methodology
- Professional documentation practices
- Modern .NET ecosystem knowledge
Development (appsettings.Development.json):
{
"Jwt": {
"Key": "YOUR_DEVELOPMENT_SECRET_KEY_MIN_32_CHARS",
"AccessTokenExpirationMinutes": 15,
"RefreshTokenExpirationDays": 7
},
"ConnectionStrings": {
"DefaultConnection": "Server=(localdb)\\mssqllocaldb;Database=ProjectManagementDb;Trusted_Connection=true"
}
}Production:
- Use environment variables or Azure Key Vault for secrets
- Never commit
appsettings.Development.jsonto Git - See
appsettings.Example.jsonfor template
WARNING: Do NOT commit secrets to Git
TIP: Use appsettings.Example.json as template
TIP: Copy to appsettings.Development.json and add your secrets
TIP: Add appsettings.Development.json to .gitignore
Contributions, issues, and feature requests are welcome!
- Fork the repository
- Create your feature branch (
git checkout -b feature/AmazingFeature) - Commit your changes (
git commit -m 'Add some AmazingFeature') - Push to the branch (
git push origin feature/AmazingFeature) - Open a Pull Request
Areas for contribution:
- Integration tests
- Docker containerization
- API versioning
- Resource-based authorization
- Performance optimizations
This project is licensed under the MIT License - see the LICENSE file for details.
Robbe Vanhalst
Junior .NET Developer | Belgium
I'm a recently graduated .NET developer passionate about clean code, software architecture, and security. This project represents my commitment to professional development and enterprise-grade software practices.
Looking for opportunities in:
- Backend .NET Development
- API Development
- Clean Architecture Projects
- Enterprise Software Development
Project Metrics:
- 72 Unit Tests - 100% passing
- 8 Documentation Files - Complete guides
- 4 Architecture Layers - Clean separation
- 3 Role Levels - RBAC implementation
- ~2,000 lines of code - Production quality
Star this repository if you find it useful!
Made with care by Robbe Vanhalst