Hi there !
My Website is accessible for public and registered users.
Even if there is no critical data, I would like that only users using ABP Website (public & registered) could access the WebAPI. The main reason is that I don't want that another concurrent could use my WebAPI calls.
The public user is not logged in, so i cannot use AbpAuthorize property because it does not have a token. So ... it's impossible.
My workaround idea is that each "non-registered user" should be logged as user named "public".
But in this way, I have to avoid settings changes / audit / etc for this specific user.
Is it a good idea for this workaround or you do have a better one ?
Thks !
1 Answer(s)
-
0
Hi,
This problem is not particular to ABP. It's valid for any ASP.NET Web API Controller. So, you can search web for a better solution.
My thoughts;
If you don't enable Cors, then other web sites can not call web api. But for example a console application can make HTTP requests to your API. To prevent it, we may create a random token on server and write it to the javascript. Then send this token for every request on header and verify http header. But this also don't prevent completely. Because, a console app can make web request first, grap the token from javascript and use it in the header.
But, I don't know a complete solution. Check this for example: <a class="postlink" href="http://stackoverflow.com/questions/5333368/how-can-you-prevent-arbitrary-client-apps-from-using-your-anonymous-web-api">http://stackoverflow.com/questions/5333 ... us-web-api</a>
