Base solution for your next web application
Open Closed

[WebAPI] how to restrict to another site ? #490


User avatar
0
daws created

Hi there !

My Website is accessible for public and registered users.

Even if there is no critical data, I would like that only users using ABP Website (public & registered) could access the WebAPI. The main reason is that I don't want that another concurrent could use my WebAPI calls.

The public user is not logged in, so i cannot use AbpAuthorize property because it does not have a token. So ... it's impossible.

My workaround idea is that each "non-registered user" should be logged as user named "public".

But in this way, I have to avoid settings changes / audit / etc for this specific user.

Is it a good idea for this workaround or you do have a better one ?

Thks !


1 Answer(s)
  • User Avatar
    0
    hikalkan created
    Support Team

    Hi,

    This problem is not particular to ABP. It's valid for any ASP.NET Web API Controller. So, you can search web for a better solution.

    My thoughts;

    If you don't enable Cors, then other web sites can not call web api. But for example a console application can make HTTP requests to your API. To prevent it, we may create a random token on server and write it to the javascript. Then send this token for every request on header and verify http header. But this also don't prevent completely. Because, a console app can make web request first, grap the token from javascript and use it in the header.

    But, I don't know a complete solution. Check this for example: <a class="postlink" href="http://stackoverflow.com/questions/5333368/how-can-you-prevent-arbitrary-client-apps-from-using-your-anonymous-web-api">http://stackoverflow.com/questions/5333 ... us-web-api</a>