With our /auth/secret endpoint safely locked away behind the authorize attribute, we need some way of authenticating and authorizing a user. For that, we'll use the AuthenticateUser() method, which is configured with the AllowAnonymous attribute to enable anyone to attempt to log in. The first thing we'll need is a list of users. For this, I've created a simple dictionary of username:password combinations in a user_vault.json file, which we can access with a static UserVault class. The UserVault class then exposes a simple method for checking whether a username:password combination exists in our user database. So, let's let user_vault.json be defined as follows:
{ "aladdin": "open_sesame", "dr_suess": "green_eggs_and_ham", ...