Hi There
I am building a mobile app that talks to my ASPNETZERO API.
I was just wondering about security and how to implement something.
Once the user logs in he gets his auth token. I need the user to also fetch his user profile ie GetUserProfileByEmail.
I would like to know how could I prevent a person from fetching another users profile if they know their email address.
Or should I return the users id when they log in and make all other calls using the userid.
The account(login) webapi returns an ajax response is it possible for it to return an object.
Any suggestions will be greatly appreciated.
2 Answer(s)
-
0
I would like to know how could I prevent a person from fetching another users profile if they know their email address.
You can use AbpSession.UserId and get the current user's profile.
Or should I return the users id when they log in and make all other calls using the userid.
Make calls with auth token and AbpSession.UserId will be available.
The account(login) webapi returns an ajax response is it possible for it to return an object.
You can use [DontWrapResult] on a method to return only the object.
-
0
Awesom didnt know that absession.userid will be available for an external call.
