A full-stack online auction management system built with ASP.NET Core 9.0 and React 18. This platform enables secure, real-time bidding with comprehensive user management, payment processing, and administrative controls.
The backend leverages modern ASP.NET Core features to deliver a scalable, secure, and maintainable REST API with real-time capabilities.
- Framework: ASP.NET Core 9.0 Web API
- Database: SQL Server with Entity Framework Core 9.0.9
- Authentication: JWT Bearer tokens with role-based authorization
- Real-time Communication: SignalR for live bidding and notifications
- Payment Processing: Stripe.NET SDK (v49.0.0)
- Password Security: BCrypt.Net-Next (v4.0.3)
- API Documentation: Swagger/OpenAPI
backend/AuctionHouse.Api/
├── Controllers/ # RESTful API endpoints
├── Services/ # Business logic layer
├── Models/ # Entity Framework domain models
├── DTOs/ # Data Transfer Objects
├── Data/ # DbContext, migrations, seeding
├── Hubs/ # SignalR hubs for real-time features
├── Middleware/ # Custom middleware (token revocation)
├── Migrations/ # EF Core database migrations
├── wwwroot/ # Static file serving (uploaded images)
└── Program.cs # Application configuration and DI setup
The frontend provides a modern, responsive user interface with real-time updates and seamless API integration.
- Framework: React 18 with TypeScript
- Build Tool: Vite
- UI Components: Radix UI primitives with shadcn/ui
- Styling: Tailwind CSS
- State Management: React Context API
- Real-time: SignalR client (@microsoft/signalr)
- Forms: React Hook Form
- Charts: Recharts
The application uses ASP.NET Core's built-in dependency injection container for service registration:
// Scoped services for database operations
builder.Services.AddScoped<IAuthService, AuthService>();
builder.Services.AddScoped<IAuctionService, AuctionService>();
builder.Services.AddScoped<IBidService, BidService>();
builder.Services.AddScoped<ITransactionService, TransactionService>();
builder.Services.AddScoped<INotificationService, NotificationService>();
builder.Services.AddScoped<IAdminService, AdminService>();
builder.Services.AddScoped<IPaymentService, PaymentService>();
// Background services for automated tasks
builder.Services.AddHostedService<AuctionClosingService>();builder.Services.AddDbContext<ApplicationDbContext>(options =>
options.UseSqlServer(builder.Configuration.GetConnectionString("DefaultConnection")));The application automatically applies migrations and seeds initial data on startup:
using (var scope = app.Services.CreateScope())
{
var db = scope.ServiceProvider.GetRequiredService<ApplicationDbContext>();
await db.Database.MigrateAsync();
await SeedData.EnsureSeedData(db);
}Configured using ASP.NET Core's authentication middleware with custom token validation:
builder.Services.AddAuthentication(options =>
{
options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
})
.AddJwtBearer(options =>
{
options.TokenValidationParameters = new TokenValidationParameters
{
ValidateIssuer = true,
ValidateAudience = true,
ValidIssuer = jwtSection["Issuer"],
ValidAudience = jwtSection["Audience"],
IssuerSigningKey = new SymmetricSecurityKey(key),
ValidateLifetime = true
};
// SignalR token handling via query string
options.Events = new JwtBearerEvents
{
OnMessageReceived = context =>
{
var accessToken = context.Request.Query["access_token"];
var path = context.HttpContext.Request.Path;
if (!string.IsNullOrEmpty(accessToken) &&
path.StartsWithSegments("/hubs/auction"))
{
context.Token = accessToken;
}
return Task.CompletedTask;
}
};
});Real-time bidding and notifications are handled through a dedicated SignalR hub:
builder.Services.AddSignalR();
// Hub endpoint mapping
app.MapHub<AuctionHub>("/hubs/auction");Configured to allow cross-origin requests from the React frontend:
builder.Services.AddCors(opts =>
{
opts.AddPolicy("AllowReactApp", p =>
p.WithOrigins("http://localhost:3000", "http://localhost:5173")
.AllowAnyHeader()
.AllowAnyMethod()
.AllowCredentials());
});The application follows ASP.NET Core middleware ordering best practices:
app.UseHttpsRedirection();
app.UseRouting();
app.UseCors("AllowReactApp");
app.UseStaticFiles();
app.UseAuthentication();
app.UseTokenRevocation(); // Custom middleware
app.UseAuthorization();
app.MapControllers();
app.MapHub<AuctionHub>("/hubs/auction");Implements token blacklisting for logout functionality:
Middleware/TokenRevocationMiddleware.cs
This middleware checks revoked tokens after authentication but before authorization, ensuring logged-out users cannot access protected resources.
The API follows REST conventions with 14 controllers:
| Controller | Responsibility |
|---|---|
AuthController |
User registration, login, logout, token management |
UsersController |
User profile management and CRUD operations |
AuctionsController |
Auction CRUD, search, filtering, status management |
BidsController |
Bid placement, validation, history retrieval |
CategoriesController |
Category management |
ImagesController |
Image upload and retrieval |
WatchlistController |
User watchlist operations |
TransactionsController |
Transaction records and history |
PaymentsController |
Stripe payment integration and webhooks |
NotificationsController |
User notifications and preferences |
AdminController |
User management, auction moderation |
AnalyticsController |
Platform statistics and reporting |
AnnouncementsController |
System-wide announcements |
ActivityLogsController |
Audit logging |
Business logic is encapsulated in service classes, following the Repository/Service pattern:
Services/
├── AuthService.cs # Authentication and authorization
├── AuctionService.cs # Auction business logic
├── BidService.cs # Bidding rules and validation
├── TransactionService.cs # Payment and transaction handling
├── NotificationService.cs # Notification dispatch
├── PaymentService.cs # Stripe integration
├── AdminService.cs # Administrative operations
├── AuctionClosingService.cs # Background service for auction closure
└── [Interface definitions]
All API communication uses DTOs to:
- Decouple API contracts from database models
- Control data exposure (security)
- Enable validation attributes
- Support versioning
DTOs/
├── AuthDtos.cs # Login, register, token responses
├── AuctionDtos.cs # Auction creation, updates, listings
├── BidDtos.cs # Bid placement and history
├── UserDtos.cs # User profiles and updates
├── TransactionDto.cs # Transaction records
├── NotificationDtos.cs # Notification payloads
└── AdminDtos.cs # Administrative data structures
The application uses Entity Framework Core with the following domain models:
| Model | Description |
|---|---|
User |
User accounts with roles and authentication data |
Auction |
Auction items with status, timing, and pricing |
Bid |
Bid records with amount, timestamp, and bidder |
Category |
Auction categories for organization |
AuctionImage |
Multiple images per auction |
Watchlist |
User-specific auction watchlists |
Transaction |
Payment and fulfillment records |
Notification |
User notifications with type and status |
RevokedToken |
Blacklisted JWT tokens for logout |
ActivityLog |
Audit trail for administrative actions |
Announcement |
System-wide announcements |
- User → Auction (1:Many) - Seller relationship
- User → Bid (1:Many) - Bidder relationship
- Auction → Bid (1:Many) - Bid history
- Auction → AuctionImage (1:Many) - Multiple images
- Auction → Category (Many:1) - Categorization
- User → Watchlist (1:Many) - Saved auctions
- User → Transaction (1:Many) - Purchase history
- User → Notification (1:Many) - User notifications
The SignalR hub provides real-time updates for:
- Bid placement broadcasts to all connected clients
- Auction status changes (ended, extended)
- User join/leave notifications for auction rooms
- Live price updates
Clients join auction-specific groups to receive targeted updates:
// Join auction group
await signalRService.joinAuctionGroup(auctionId);
// Listen for bid updates
signalRService.onBidPlaced((bidData) => {
updateAuctionUI(bidData);
});The application integrates Stripe for secure payment processing:
- Payment Sessions: Server-side session creation with
PaymentService - Webhook Handling: Automated transaction updates on payment events
- Security: PCI DSS compliance through Stripe's hosted checkout
- Refunds: Administrative refund capabilities
- Auction ends, winner is determined
- Transaction record created with "Pending" status
- Payment session generated via Stripe API
- User redirected to Stripe Checkout
- Webhook confirms payment
- Transaction status updated to "Paid"
- Notification sent to buyer and seller
Implemented as an IHostedService to automatically:
- Monitor auction end times
- Update auction status to "Closed"
- Determine winning bidder
- Create transaction records
- Send notifications to participants
The application uses a layered configuration approach:
// Base configuration
appsettings.json (committed, no secrets)
// Environment-specific
appsettings.Development.json
appsettings.Production.json
// Local secrets (not committed)
builder.Configuration.AddJsonFile("appsettings.Secrets.json", optional: true);
// Environment variables (production)
builder.Configuration.AddEnvironmentVariables();{
"ConnectionStrings": {
"DefaultConnection": "Server=...;Database=AuctionHouseDB;..."
},
"Jwt": {
"Key": "your-secret-key-minimum-16-characters",
"Issuer": "AuctionHouse",
"Audience": "AuctionHouseUsers",
"ExpiresMinutes": 120
},
"Stripe": {
"PublishableKey": "pk_test_...",
"SecretKey": "sk_test_...",
"WebhookSecret": "whsec_..."
}
}- JWT Tokens: Stateless authentication with configurable expiration
- Role-Based Access Control: Admin and User roles with
[Authorize(Roles = "...")] - Token Revocation: Middleware-based blacklisting for logout
- Password Hashing: BCrypt with salt rounds for secure storage
- Model validation attributes in DTOs
- Business rule validation in service layer
- SQL injection prevention via parameterized queries (EF Core)
- HTTPS redirection enforced
- CORS configured for specific frontend origins
- Credentials allowed for SignalR connections
- .NET 9.0 SDK
- SQL Server (LocalDB or full instance)
- Node.js 18+ and npm
- Visual Studio 2022 or VS Code
cd backend/AuctionHouse.Api
# Restore packages
dotnet restore
# Create secrets file from template
copy appsettings.json appsettings.Secrets.json
# Edit appsettings.Secrets.json with your credentials
# Apply migrations
dotnet ef database update
# Run the API
dotnet runThe API will be available at http://localhost:5021
cd frontend
# Install dependencies
npm install
# Start development server
npm run devThe frontend will be available at http://localhost:3000 or http://localhost:5173
POST /api/auth/register- User registrationPOST /api/auth/login- User loginPOST /api/auth/logout- Token revocation
GET /api/auctions- List auctions with filteringGET /api/auctions/{id}- Get auction detailsPOST /api/auctions- Create auction (authenticated)PUT /api/auctions/{id}- Update auction (owner/admin)DELETE /api/auctions/{id}- Delete auction (owner/admin)
POST /api/bids- Place bid (authenticated)GET /api/bids/auction/{auctionId}- Get bid historyGET /api/bids/user- Get user's bid history
GET /api/transactions- User transaction historyGET /api/transactions/{id}- Transaction detailsPUT /api/transactions/{id}/shipping- Update shipping status
POST /api/payments/create-session- Create Stripe checkout sessionPOST /api/payments/webhook- Stripe webhook endpoint
GET /api/admin/users- List all users (admin)PUT /api/admin/users/{id}/suspend- Suspend user (admin)DELETE /api/admin/auctions/{id}- Remove auction (admin)GET /api/analytics- Platform statistics (admin)
PowerShell test scripts are provided in backend/testing/:
# Run all Phase 1 tests
.\testing\run-all-phase1-tests.ps1
# Test specific features
.\testing\test-auction-crud.ps1
.\testing\test-bid-simple.ps1
.\testing\test-notifications.ps1Manual testing checklists available in docs/PHASE*_TESTING_GUIDE.md
- Use environment variables for sensitive configuration
- Consider Azure Key Vault for secret management
- Enable HTTPS and update CORS origins
- Configure proper connection pooling for SQL Server
- Set up log aggregation (Application Insights, Seq, etc.)
- Ensure proper indexes on frequently queried columns
- Configure backup strategy for SQL Server
- Monitor query performance with EF Core logging
- SignalR backplane required for multi-instance deployments (Redis, Azure SignalR Service)
- Consider API rate limiting
- Implement caching for frequently accessed data (IDistributedCache)
- Use CDN for static assets and uploaded images
Comprehensive documentation is available in the docs/ directory:
ARCHITECTURE.md- System architecture and design patternsPHASE*_COMPLETION_SUMMARY.md- Development phase summariesTESTING_GUIDE.md- Testing procedures and checklistsSECURITY_SETUP.md- Security configuration detailsUSER_GUIDE.md- End-user documentation
This project is developed for educational purposes as part of SE205.3 coursework.
| Layer | Technology |
|---|---|
| Backend Framework | ASP.NET Core 9.0 Web API |
| ORM | Entity Framework Core 9.0.9 |
| Database | SQL Server |
| Authentication | JWT Bearer Tokens |
| Real-time | SignalR |
| Payment | Stripe.NET SDK |
| Frontend | React 18 + TypeScript |
| Build Tool | Vite |
| UI Framework | Tailwind CSS + Radix UI |
| API Documentation | Swagger/OpenAPI |