0

When testing the WebAPI authentication in the SPA template, I can create a user, sign in, and retrieve sample to-do's using this url from Google Chrome:

http://myhost.com:49688/api/TodoList

When I try to retrieve the todo's using curl or via Fiddler, I get back HTTP/1.1 401 Unauthorized status.

The curl command I am using:

curl --request GET -H "Content-Type: application/json" http://uname:pass@myhost.com:49688/api/TodoList

Fiddler parsed query:

GET http://myhost.com:49688/api/TodoList

Request Headers:

User-Agent: Fiddler
Host: localhost:49688
Authorization: Basic YWxpYmVyc29uOnRlc3R0ZXN0

Why am I receiving back status 401 if I am providing the username and password? (I substituted myhost for localhost)

JackPoint
  • 4,031
  • 1
  • 30
  • 42
Alexander Liberson
  • 632
  • 7
  • 16
  • The request seems oke. Try debugging on server side. – JackPoint Apr 11 '13 at 11:21
  • @JackPoint I set a breakpoint on `namespace SPA.Filters { public class ValidateHttpAntiForgeryTokenAttribute : AuthorizationFilterAttribute { public override void OnAuthorization(HttpActionContext actionContext) { HttpRequestMessage request = actionContext.ControllerContext.Request;` and it is not being hit. I welcome any suggestions where else to debug. – Alexander Liberson Apr 12 '13 at 04:15

1 Answers1

0

I think you're hitting the anti-CSRF filter. To prevent cross-site request forgery, the client needs to include a validation token that the server injects into the HTML page. This prevents a malicious site from piggybacking on your login credentials.

See http://www.asp.net/single-page-application/overview/introduction/knockoutjs-template in the section "Anti-CSRF Protection".

For more background: http://www.asp.net/web-api/overview/security/preventing-cross-site-request-forgery-(csrf)-attacks

Mike Wasson
  • 6,572
  • 2
  • 24
  • 20
  • Mike, in your post you describe using Razor syntax to generate the tokens at the server and then add the tokens to an AJAX request: `string cookieToken, formToken; AntiForgery.GetTokens(null, out cookieToken, out formToken); return cookieToken + ":" + formToken; ` Can I use this same token scheme to authenticate WebAPI against iPhone native app clients? In other words, if the client calling the WebAPI is a native iPhone app, can the native app client make a call to AntiForgery.GetTokens(...) and then use the received token in subsequent calls? – Alexander Liberson Apr 12 '13 at 03:04
  • Or I should be using an entirely different method to secure the SPA template's WebAPI with tokens in the header for native app clients, something like http://stackoverflow.com/questions/11731683/user-authentication-in-asp-net-web-api ? – Alexander Liberson Apr 12 '13 at 03:22
  • GetTokens generates the tokens on the server side. The idea is to put the tokens in the HTML. This forces the client to parse the HTML which proves they are not make a cross-domain request. For native clients, you typically want to call the web API directly and present the result in a native UI, so it's not a great auth scheme for native clients. – Mike Wasson Apr 12 '13 at 18:28
  • I just re-read your original Q more carefully - out of the box the SPA template is configured for forms auth, but you are sending the credentials as Basic auth, which it's not going to recognize. – Mike Wasson Apr 12 '13 at 18:30
  • Thank you for writing the article about basic auth: http://www.asp.net/web-api/overview/security/basic-authentication I'd like to use token based basic auth, what do you recommend I follow? Also, how do I combine the authentication for native UI clients (using basic auth) and for SPA javascript / ajax / browser clients (it doesn't have to be the out-of-the-box template) so that they could all call and authenticate against the same WebAPI? – Alexander Liberson Apr 12 '13 at 19:27
  • Just to clarify my last sentence -> although the SPA would use the same WebAPI, it wouldn't have to authenticate using the WebAPI, it would probably use Forms Auth inside MVC? I just not clear how to combine the authentication for SPA and native UI clients. And how to add antiforgery tokens to the mix as well? – Alexander Liberson Apr 12 '13 at 19:31