Home > Net >  How to scure my APIs on c#.net the best practice
How to scure my APIs on c#.net the best practice

Time:02-10

I built APIs on c#.net

these APIs works fine, but it is not secure, which means anyone worldwide can use it

using System;
using System.Collections.Generic;
using System.Linq;
using System.Net;
using System.Net.Http;
using System.Web.Http;
using System.Data.SqlClient;
using System.Data;

namespace CDAPIs.Controllers
{
    public class CallSPController : ApiController
    {

        [Route("api/CallSP")]
        public string Get(string SP = null, string Type = null, string Ps = null, string P0 = null, string P1 = null, string P2 = null, string P3 = null)
        {
            string sDBConn = Functions.GetConn();
            string[] Parms = Ps.Split(',');
            SqlConnection conn = new SqlConnection(sDBConn);
            SqlCommand cmd = new SqlCommand(SP, conn);
            cmd.CommandTimeout = 0;
            cmd.CommandType = CommandType.StoredProcedure;

            string P = "";
            for (int i = 0; i < Parms.Length; i  )
            {
                if (i == 0) { P = P0; }
                if (i == 1) { P = P1; }
                if (i == 2) { P = P2; }
                if (i == 3) { P = P3; }
                cmd.Parameters.Add(new SqlParameter("@"   Parms[i].Trim(), P));
            }


            try
            {
                conn.Open();

                if (Type.ToUpper().Trim() == "STRING")
                {
                    string st = cmd.ExecuteScalar().ToString();
                    conn.Close();
                    conn.Dispose();
                    return st;
                }
                else
                {
                    SqlDataReader rdr = cmd.ExecuteReader();
                    var dt = new DataTable();
                    dt.Load(rdr);
                    List<DataRow> result = dt.AsEnumerable().ToList();
                    rdr.Close();
                    conn.Close();
                    conn.Dispose();
                    string json = Functions.DataTableToJSON(dt);
                    //return Json(result, JsonRequestBehavior.AllowGet);
                    return json;
                }
            }
            catch (Exception ex)
            {
                return ex.Message;
            }
        }
    }
}

I want to protect these APIs and I would like to how to do that properly

I thought of adding UserID and Password to each API so the use send them as parameters

so it will be like this

    [Route("api/CallSP")]
    public string Get(string UserID, string Password, string SP = null, string Type = null, string Ps = null, string P0 = null, string P1 = null, string P2 = null, string P3 = null)
    {

Is there a better solution?

CodePudding user response:

No, you can't send secure data like passwords in the query as it could be easily stolen. In that case you should create an endpoint to authenticate the user and return to user secure string. This secure string is called JWT token. After that you put this token inside each request in the Authorization header. If API configured properly, and you used [Authorize] attribute, then you will automatically pass an authorization and step into your method. You can find the easiest code example (but post is in different language) here.

CodePudding user response:

[https://www.nuget.org/packages/Microsoft.Identity.Client/][1]

i think take a look something about identity. your way can be work fine if nobady will use the api. if you want to secure look for:

DbContext, IdentityDbContext

Page link:https//www.codepudding.com/net/293687.html

Prev:How do I return a list with newly added objects from a method (Beginner) C#
Next:In an MVC design, how should the Model communicate with the View?
  •  Tags:  
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding