locked
Code up a TOKEN for members to use Web API RRS feed

  • Question

  • User-1668014665 posted

    What do you do?

    I wish to allow members to pull data out of my database, Forex data like Symbol, Date, O, H, L, C

    A token is in the API URL to identify the user as approved member

    My MS SQL database users table has a GUID Like this for each member

    213C6121-18B8-4F81-B124-81C3D673FCD0

    Should I use that, any other ideas?

    Sunday, March 3, 2019 6:22 PM

Answers

All replies

  • User1120430333 posted

    How is the WebAPI being used? Is the WebAPI being exposed to the public Internet? Is the WebAPI only being used by your ASP.NET Web form programs. Is the WebAPI being used with the Web form programs on the same compute?. Is MS SQL Server being used on the same machine too? Are you putting the whole shooting match out there on the Internet with you doing the hosting yourself?

    Sunday, March 3, 2019 7:24 PM
  • User-1668014665 posted

    ..."Is the WebAPI being exposed to the public Internet?"...

    The API is goes to code on one machine, pulls data off another machine, the store proc is in a ROLE specific to a USER ID that only does web API

    I am all good on security

    Now back to my question, 

    Sunday, March 3, 2019 8:04 PM
  • User1120430333 posted

    The API is goes to code on one machine, pulls data off another machine, the store proc is in a ROLE specific to a USER ID that only does web API
    I am all good on security

    If you say you're secure so be it. IMO. if the WebAPI service was being hit by a mobile device,  a Windows Desktop solution,  being hit by a desktop MAC or Linux client in a client/service  scenario and being exposed to the public Internet, then I would consider using some kind of security to access the WebAPI, if any client mentioned can access the WebAPI over the Internet

    If you have a frontend Web server hosting a Web applications such as ASP.NET Web form, MVC, etc. and , etc. hitting a backend Web server hosting the WebAPI on another machine on the protected LAN,  I don't see the need for such security. That's IMO and what I have seen implemented. 

    Sunday, March 3, 2019 10:25 PM
  • User475983607 posted

    What do you do?

    I use the JWT APIs that come with ASP.NET.  JWTs work great when you have code based clients like web server to Web API.   The clients send the JWT in the HTTP authorization header; bearer.

    A token is in the API URL to identify the user as approved member

    My MS SQL database users table has a GUID Like this for each member

    213C6121-18B8-4F81-B124-81C3D673FCD0

    Should I use that, any other ideas?

    That's not a good idea because URLs are cached and you do not want user IDs in the URL anyway.  A JWT token is sighed which makes it tamper proof.

    https://jwt.io/

    https://en.wikipedia.org/wiki/JSON_Web_Token

    https://docs.microsoft.com/en-us/aspnet/aspnet/overview/owin-and-katana/owin-oauth-20-authorization-server

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Sunday, March 3, 2019 10:35 PM
  • User1120430333 posted

    Just FYI, if you are planning on hosting your Web application on  a Windows workstation version of the O/S that is from Vista to Wino 10, there can only be 10 concurrent connections  at any given time open to the computer running the O/S from machines on the LAN or WAN. The 11th computer running a program trying to connect to a computer hosting/running  a program on the computer where 10 connections are currently being used will be terminated.

    You can't buy more concurrent connection  licenses for the Windows workstation O/S.

    https://www.nextofwindows.com/how-many-concurrent-connections-allowed-to-access-a-windows-7-computer

    Monday, March 4, 2019 6:27 AM
  • User-1668014665 posted

    My website is on a VPN at a professional site hoster, it is not run from home off a home PC

    but I check on that!

    Monday, March 4, 2019 7:59 AM