First, inject a UserManager<ApplicationUser> into the TodoController:

    Controllers/TodoController.cs

    You’ll need to add a new using statement at the top:

    1. using Microsoft.AspNetCore.Identity;

    The UserManager class is part of ASP.NET Core Identity. You can use it to look up the current user in the Index action:

    1. public async Task<IActionResult> Index()
    2. {
    3.     var currentUser = await _userManager.GetUserAsync(User);
    4.     if (currentUser == null) return Challenge();
    6.     var todoItems = await _todoItemService.GetIncompleteItemsAsync(currentUser);
    8.     var model = new TodoViewModel()
    9.     {
    10.         Items = todoItems
    11.     };
    13.     return View(model);
    14. }

    The new code at the top of the action method uses the UserManager to get the current user from the User property available in the action:

    1. var currentUser = await _userManager.GetUserAsync(User);

    If there is a logged-in user, the User property contains a lightweight object with some (but not all) of the user’s information. The UserManager uses this to look up the full user details in the database via the GetUserAsync.

    The value of currentUser should never be null, because the [Authorize] attribute is present on the controller. However, it’s a good idea to do a sanity check, just in case. You can use the Challenge() method to force the user to log in again if their information is missing:

    Services/ITodoItemService.cs

    1. public interface ITodoItemService
    2. {
    3.     Task<IEnumerable<TodoItem>> GetIncompleteItemsAsync(ApplicationUser user);
    5.     // ...

    The next step is to update the database query and show only items owned by the current user.

    You’ll need to add a new property to the TodoItem entity model so each item can reference the user that owns it:

    1. public string OwnerId { get; set; }

    Since you updated the entity model used by the database context, you also need to migrate the database. Create a new migration using dotnet ef in the terminal:

    1. dotnet ef migrations add AddItemOwnerId

    This creates a new migration called AddItemOwner which will add a new column to the Items table, mirroring the change you made to the TodoItem entity model.

    Use dotnet ef again to apply it to the database:

    Services/TodoItemService.cs

    1. public async Task<IEnumerable<TodoItem>> GetIncompleteItemsAsync(ApplicationUser user)
    2. {
    3.     return await _context.Items
    4.         .Where(x => x.IsDone == false && x.OwnerId == user.Id)
    5.         .ToArrayAsync();
    6. }

    If you run the application and register or log in, you’ll see an empty to-do list once again. Unfortunately, any items you try to add disappear into the ether, because you haven’t updated the Add Item operation to save the current user to new items.

    You’ll need to use the UserManager to get the current user in the AddItem and MarkDone action methods, just like you did in Index. The only difference is that these methods will return a 401 Unauthorized response to the frontend code, instead of challenging and redirecting the user to the login page.

    Here are both updated methods in the TodoController:

    1. public async Task<IActionResult> AddItem(NewTodoItem newItem)
    2. {
    3.     if (!ModelState.IsValid)
    4.     {
    5.         return BadRequest(ModelState);
    6.     }
    8.     var currentUser = await _userManager.GetUserAsync(User);
    9.     if (currentUser == null) return Unauthorized();
    11.     var successful = await _todoItemService.AddItemAsync(newItem, currentUser);
    13.     {
    14.         return BadRequest(new { error = "Could not add item." });
    15.     }
    17. }
    19. public async Task<IActionResult> MarkDone(Guid id)
    20. {
    21.     if (id == Guid.Empty) return BadRequest();
    23.     var currentUser = await _userManager.GetUserAsync(User);
    24.     if (currentUser == null) return Unauthorized();
    26.     var successful = await _todoItemService.MarkDoneAsync(id, currentUser);
    27.     if (!successful) return BadRequest();
    29.     return Ok();
    30. }

    Both service methods must now accept an ApplicationUser parameter. Update the interface definition in ITodoItemService:

    1. Task<bool> AddItemAsync(NewTodoItem newItem, ApplicationUser user);
    3. Task<bool> MarkDoneAsync(Guid id, ApplicationUser user);

    And finally, update the service method implementations in the TodoItemService.

    For the AddItemAsync method, set the Owner property when you construct a new TodoItem:

    1. public async Task<bool> MarkDoneAsync(Guid id, ApplicationUser user)
    2. {
    3.     var item = await _context.Items
    4.         .Where(x => x.Id == id && x.OwnerId == user.Id)
    5.         .SingleOrDefaultAsync();
    7.     // ...

    All done! Try using the application with two different user accounts. The to-do items stay private for each account.