Base solution for your next web application
Open Closed

Web API Security #4154


User avatar
0
Garysund created

Hi There

I am building a mobile app that talks to my ASPNETZERO API.

I was just wondering about security and how to implement something.

Once the user logs in he gets his auth token. I need the user to also fetch his user profile ie GetUserProfileByEmail.

I would like to know how could I prevent a person from fetching another users profile if they know their email address.

Or should I return the users id when they log in and make all other calls using the userid.

The account(login) webapi returns an ajax response is it possible for it to return an object.

Any suggestions will be greatly appreciated.


2 Answer(s)
  • User Avatar
    0
    aaron created
    Support Team

    I would like to know how could I prevent a person from fetching another users profile if they know their email address.

    You can use AbpSession.UserId and get the current user's profile.

    Or should I return the users id when they log in and make all other calls using the userid.

    Make calls with auth token and AbpSession.UserId will be available.

    The account(login) webapi returns an ajax response is it possible for it to return an object.

    You can use [DontWrapResult] on a method to return only the object.

  • User Avatar
    0
    Garysund created

    Awesom didnt know that absession.userid will be available for an external call.