patterncsharpMinor
REST-ish API Account Controller
Viewed 0 times
restaccountcontrollerishapi
Problem
I still have to implement API keys for client auth, but so far this is what I have for users. This was built using WebAPI and SimpleMembership with Forms Auth:
Is Authenticated:
Login:
Log Out:
```
// POST /api/logout
[System.Web.Http.HttpPost]
////[ValidateAntiForgeryToken]
// [System.Web.Http.AllowAnonymous]
[Authorize]
public HttpResponseMessage LogOut()
{
try
{
Is Authenticated:
public class AccountController : ApiController
{
public static DtoService _service = new DtoService();
// GET/api/isAuthenticated
[System.Web.Http.HttpGet]
public HttpResponseMessage IsAuthenticated()
{
try
{
if (User.Identity.IsAuthenticated)
return Request.CreateResponse(HttpStatusCode.OK, WebSecurity.GetUserId(User.Identity.Name));
else
return Request.CreateResponse(HttpStatusCode.OK, false);
}
catch (Exception e)
{
return Request.CreateResponse(HttpStatusCode.InternalServerError, e);
}
}Login:
// POST /api/login
// [System.Web.Http.AllowAnonymous]
[System.Web.Http.HttpPost]
public HttpResponseMessage LogIn(LoginModel model)
{
if (!ModelState.IsValid)
return Request.CreateErrorResponse(HttpStatusCode.BadRequest, ModelState);
try
{
if (User.Identity.IsAuthenticated)
return Request.CreateResponse(HttpStatusCode.Conflict, "already logged in.");
if (!WebSecurity.UserExists(model.UserName))
return Request.CreateResponse(HttpStatusCode.BadRequest, "User does not exist.");
if (WebSecurity.Login(model.UserName, model.Password, persistCookie: model.RememberMe))
{
FormsAuthentication.SetAuthCookie(model.UserName, model.RememberMe);
return Request.CreateResponse(HttpStatusCode.OK, "logged in successfully");
}
return Request.CreateResponse(HttpStatusCode.BadRequest, "Login Failed.");
}
catch (Exception e)
{
return Request.CreateResponse(HttpStatusCode.InternalServerError, e);
}
}Log Out:
```
// POST /api/logout
[System.Web.Http.HttpPost]
////[ValidateAntiForgeryToken]
// [System.Web.Http.AllowAnonymous]
[Authorize]
public HttpResponseMessage LogOut()
{
try
{
Solution
Lets start with your URI's.
GET /api/isAuthenticated - This is not restful I guess. isAuthenticated doesn't sound like it is a resource, instead it sounds like it is a method returning true or false. May be it would help if you read more on Restful architecture.
POST /api/login - Even this sounds like a process but not resource
Instead I would go with /api/authentication URI
On GET it returns authenticated user information
on POST you can send credentials to create a new authentication
on DELETE you delete the authentication resource which means logout.
Above is just for example about how to use Restful URI's. To be blunt, login process should not be done through RESTful URI's as it introduces stateful system where as RESTful API should be stateless. Instead you should use authentication headers of HTTP for authenticating and authorizing a user.
I hope this helps you in understanding RESTful API.
GET /api/isAuthenticated - This is not restful I guess. isAuthenticated doesn't sound like it is a resource, instead it sounds like it is a method returning true or false. May be it would help if you read more on Restful architecture.
POST /api/login - Even this sounds like a process but not resource
Instead I would go with /api/authentication URI
On GET it returns authenticated user information
on POST you can send credentials to create a new authentication
on DELETE you delete the authentication resource which means logout.
Above is just for example about how to use Restful URI's. To be blunt, login process should not be done through RESTful URI's as it introduces stateful system where as RESTful API should be stateless. Instead you should use authentication headers of HTTP for authenticating and authorizing a user.
I hope this helps you in understanding RESTful API.
Context
StackExchange Code Review Q#25428, answer score: 5
Revisions (0)
No revisions yet.