I have several actions in my application (ASP.NET MVC) that are not intended to be called by browser clients, but from other external applications of my property, such as the Azure Scheduler and my mobile applications (Android)
For these actions to work as expected, a secret parameter and value must be passed.
public ActionResult SendPendingMessages(string secret = "")
{
if (!secret.Equals("hardcoded_secret"))
return null;
// Real stuff here...
}
The above action is called by my scheduler every 30 minutes and sends scheduled messages.
Other example:
public ActionResult DownloadUndownloadedMessages(string secret = "")
{
if (!secret.Equals("hardcoded_secret"))
return null;
// Real stuff here...
}
The above action is called by my android application.
It fetches unread messages.
From these external applications, I always use HTTPS, so I´m sure the hardcoded password (and the URL itself) is secret.
I don't like what I'm doing here. It gives me a bad feeling.
To name a few problems with this approach:
- The hardcoded secret is a long term secret.
- If other developer works on these external applications, they will know the secret URL
- I don´t like that these actions can be called by just knowing the URL. I want to have something more solid than just hiding the URL.
The question is, finally:
What is the most correct way of achieving this purpose?
If a developer works at, for example, WhatsApp, and he´s fired. Can he call WhatsApp server´s actions with the knowledge he got from seeing the WhatsApp client app?
