ASP.Net WebApi Code
AuthorizationFilterAttribute
The easiest way to protect your code is by adding a filter attribute to your controller or method.Below is the code that checks the request's headers and validates the api code from it.
If invalid, returns an Unauthorized response to the client.
Important: Note the using namespaces! It is importing the WebApi namespaces rather than the ASP.NET MVC.
using System.Linq;
using System.Net;
using System.Net.Http;
using System.Web.Http.Filters;
namespace QuestoApi.Filters
{
public class WebApiKeyAuthorisationAttribute
: AuthorizationFilterAttribute
{
private const string HeaderApikeyName = "ApiKey"; //header name
public override void OnAuthorization(
System.Web.Http.Controllers.HttpActionContext actionContext)
{
base.OnAuthorization(actionContext);
//AJAX frameworks usually send a OPTIONS, below allows the
//options to run as usual.
if (actionContext.Request.Method == HttpMethod.Options) return;
string key = null;
if (actionContext.Request.Headers.Contains(HeaderApikeyName))
{
key = actionContext.Request
.Headers
.GetValues(HeaderApikeyName)
.FirstOrDefault();
}
if (ValidateApiKey(key))
{
//If it is valid, no need to do anything
//But alternatively, you can set the HttpContext User
//to allow your app identify the user who is calling the API
//HttpContext.Current.User = GeneratePrincipal();
}
else
{
//Otherwise, return a response now as an Unauthorized
actionContext.Response = actionContext
.Request
.CreateResponse(HttpStatusCode.Unauthorized);
}
}
private bool ValidateApiKey(string key)
{
//Write here your key validation
return key == "valid-key";
}
}
}
Using on the controller
You can either place the attribute at the class level: [WebApiKeyAuthorisation]
public class RegisterQuestController : ApiController
Or at method level: [WebApiKeyAuthorisation]
public HttpResponseMessage PostUserQuest(RegisterQuestRequest p)
When placing the attribute, that method or controller will be protected requiring the client to always include the api key into the header of the request.
Once the ApiKey is validated, you can optionally access the user details from the
HttpContext.Current.User = GeneratePrincipal();
Adding Header to Sencha Ext Ajax Request
How to use this using Sencha Tounch 2 Ext:Ext.Ajax.request({
url: url,
method: 'POST',
headers: {
'Content-Type': 'application/json;charset=utf-8',
'Accept': 'application/json',
'QuestoApiKey': 'valid-key'
},
params: data, //your data
failure: failureCallback,
success: successCallback
});
What is the usage of the ApiKey?
ReplyDeleteSomeone can steal the api key ,using very easy methods, and do what he want.
The demonstration above is a quick way of locking your api if you need to. To make it secure you'd need to implement your own token renewal and stuff like that.
DeleteThe code above is not production ready at all, but a simple way of prototyping something with reduced effort at server and client side (i.e. compared to oauth, hawk, etc)
Its very informative blog and useful article thank you for sharing with us , keep posting learn
ReplyDeleteDot NET Online Course bangalore
The strategy you have posted on this technology helped me to get into the next level and had lot of information in it.
ReplyDeleteDot Net Training in Chennai | Dot Net Training in anna nagar | Dot Net Training in omr | Dot Net Training in porur | Dot Net Training in tambaram | Dot Net Training in velachery