Food For Health — API

REST API that powers the Food For Health mobile app. It handles user accounts and authentication, stores health profiles and chronic conditions, and serves food/product data that the mobile client looks up by barcode to decide whether a product is suitable for a given user.

Built with ASP.NET Core 9, Entity Framework Core and SQL Server, using ASP.NET Identity with JWT bearer tokens for authentication.

📱 Mobile client (Flutter): food_for_health

---

Features

• Authentication & authorization — registration and login backed by ASP.NET Identity, with stateless JWT access tokens. Roles (User, Admin) are provisioned automatically on startup.
• Health profiles — store and update a user's physical information (height, weight, gender, birth date).
• Chronic conditions — a reference list of diseases, plus per-user condition records that the app uses when evaluating foods.
• Food lookup by barcode — products with ingredients, allergens, calories, category and expiry information, queried by their barcode.
• Swagger UI — interactive API documentation with built-in bearer token support.

Tech stack

Area	Technology
Framework	ASP.NET Core 9 (Web API)
ORM	Entity Framework Core 9 (code-first migrations)
Database	SQL Server
Auth	ASP.NET Identity + JWT Bearer
Docs	Swashbuckle / Swagger

Project structure

FoodForHealthAPI/
├── Controllers/        # API endpoints (Users, Foods, Diseases, UserInfos, UserDiseases)
├── Models/             # Entities + the EF Core DbContext (FoodForHealthContext)
├── DTO/                # Request/response data transfer objects
├── Migrations/         # EF Core code-first migrations
├── Program.cs          # App configuration, DI, auth, role seeding
└── appsettings.json    # Connection string and app settings

Data model

• AppUser / AppRole — Identity user and role (integer keys), with FullName and DateAdded added to the user.
• UserInfo — a user's physical profile.
• Disease — reference list of conditions.
• UserDisease — conditions linked to a specific user.
• Food — product details, with a foreign key to FoodCategory.

API endpoints

Method	Route	Description	Auth
POST	/api/Users/register	Create a new account	Public
POST	/api/Users/login	Authenticate, returns a JWT	Public
GET	/api/getdiseases	List reference diseases	Public
GET	/api/getfoodbybarcode?barcode=	Look up a product by barcode	Public
GET	/api/getuserinfo?userID=	Get a user's profile	Public
POST	/api/createuserinfo	Create or update a user's profile	Public
GET	/api/getuserdiseases?userID=	List a user's conditions	Public
POST	/api/createuserdisease	Add a condition to a user	Public
DELETE	/api/deleteuserdisease?ID=	Remove a user condition	Public

The login endpoint returns a signed JWT that the mobile client stores and decodes to keep the user signed in.

Security & engineering highlights

• Protected endpoints — every data endpoint requires a valid JWT ([Authorize]); only registration and login are public. Requests without a token are rejected with 401.
• Stateless JWT auth — tokens are signed with HMAC-SHA256 and validated on each request; the signing key is read from configuration rather than hard-coded.
• Identity & passwords — authentication is handled by ASP.NET Identity, so passwords are hashed (never stored in plain text), with a configurable password policy and lockout.
• Input validation — DTOs use data-annotation rules (required fields, email/phone format, minimum password length); invalid payloads are rejected with 400 before any database work.
• No information leakage — controllers return generic error messages instead of raw exception details.
• Efficient data access — read endpoints project straight to DTOs inside the EF Core query (Select(...)), so only the needed columns are fetched and entities aren't over-exposed.
• Automatic role provisioning — required roles are seeded on startup, so the API works against a fresh database with no manual setup.

Getting started

Prerequisites

• .NET 9 SDK
• SQL Server (Express, Developer or LocalDB)
• EF Core tools: dotnet tool install --global dotnet-ef

Setup

1. Clone the repository and open the folder.

2. Set the connection string in appsettings.json to point at your SQL Server instance:

   "ConnectionStrings": {
     "ConnectionString": "Data Source=localhost;Initial Catalog=foodforhealth;TrustServerCertificate=true;Trusted_Connection=yes"
   }

3. Replace the JWT secret in appsettings.json with your own long random value:

   "AppSettings": {
     "Secret": "your-own-long-random-secret-key"
   }

4. Create the database by applying the migrations:

   dotnet ef database update

5. Run the API:

   dotnet run

   By default it listens on http://localhost:5016. Swagger UI is available at http://localhost:5016/swagger.

Connecting from the mobile app

When running the API alongside the Flutter app on an Android emulator, the emulator reaches the host machine at 10.0.2.2, so the mobile client points to http://10.0.2.2:5016.

License

Released under the MIT License.