HiveBrain v1.2.0
Get Started
← Back to all entries
patterncsharpMinor

REST-ish API Account Controller

Submitted by: @import:stackexchange-codereview··
0
Viewed 0 times
restaccountcontrollerishapi

Problem

I still have to implement API keys for client auth, but so far this is what I have for users. This was built using WebAPI and SimpleMembership with Forms Auth:

Is Authenticated:

public class AccountController : ApiController
{
public static DtoService _service = new DtoService();

// GET/api/isAuthenticated
[System.Web.Http.HttpGet]
public HttpResponseMessage IsAuthenticated()
{
    try
    {
        if (User.Identity.IsAuthenticated)
            return Request.CreateResponse(HttpStatusCode.OK, WebSecurity.GetUserId(User.Identity.Name));
        else
            return Request.CreateResponse(HttpStatusCode.OK, false);
    }
    catch (Exception e)
    {
        return Request.CreateResponse(HttpStatusCode.InternalServerError, e);
    }

}


Login:

// POST /api/login
// [System.Web.Http.AllowAnonymous]
[System.Web.Http.HttpPost]
public HttpResponseMessage LogIn(LoginModel model)
{
    if (!ModelState.IsValid)
        return Request.CreateErrorResponse(HttpStatusCode.BadRequest, ModelState);
    try
    {
        if (User.Identity.IsAuthenticated)
            return Request.CreateResponse(HttpStatusCode.Conflict, "already logged in.");
        if (!WebSecurity.UserExists(model.UserName))
            return Request.CreateResponse(HttpStatusCode.BadRequest, "User does not exist.");
        if (WebSecurity.Login(model.UserName, model.Password, persistCookie: model.RememberMe))
        {
            FormsAuthentication.SetAuthCookie(model.UserName, model.RememberMe);
            return Request.CreateResponse(HttpStatusCode.OK, "logged in successfully");
        }
        return Request.CreateResponse(HttpStatusCode.BadRequest, "Login Failed.");
    }
    catch (Exception e)
    {
        return Request.CreateResponse(HttpStatusCode.InternalServerError, e);
    }
}


Log Out:

```
// POST /api/logout
[System.Web.Http.HttpPost]
////[ValidateAntiForgeryToken]
// [System.Web.Http.AllowAnonymous]
[Authorize]
public HttpResponseMessage LogOut()
{
try
{

Solution

Lets start with your URI's.

GET /api/isAuthenticated - This is not restful I guess. isAuthenticated doesn't sound like it is a resource, instead it sounds like it is a method returning true or false. May be it would help if you read more on Restful architecture.

POST /api/login - Even this sounds like a process but not resource

Instead I would go with /api/authentication URI

On GET it returns authenticated user information
on POST you can send credentials to create a new authentication
on DELETE you delete the authentication resource which means logout.

Above is just for example about how to use Restful URI's. To be blunt, login process should not be done through RESTful URI's as it introduces stateful system where as RESTful API should be stateless. Instead you should use authentication headers of HTTP for authenticating and authorizing a user.

I hope this helps you in understanding RESTful API.

Context

StackExchange Code Review Q#25428, answer score: 5

Revisions (0)

No revisions yet.