15

I've been looking at the code (in https://github.com/patelsan/WebAPIAuthentication) from this article: http://www.codeproject.com/Articles/630986/Cross-Platform-Authentication-With-ASP-NET-Web-API.

It's pretty good and seems to work fine. There are very few articles that explain this kind of token authentication, but this is the best I've seen. Note that I'm new to this technology and there's much to learn.

So, I noticed that the UsersController has this code:

public class UsersController : ApiController
{
    public Status Authenticate(User user)
    {
        . . .
    }
}

The Authenticate method doesn't start with a known HTTP verb, e.g. Get or Post, and there's no [HttpGet] or [HttpPost] attribute associated with this method, so how does the controller know with which verb to associate this method? Just by looking at the code, how can I tell which verb I need to use? Is there such a thing as a "default" verb if nothing matches?

By the way, in case you're wondering, the only verb that works is POST. I'd love to understand why that is the case.

djikay
  • 10,450
  • 8
  • 41
  • 52
  • WebApi works based on reflection and your parameter is complex parameter, most like you do not have any routing "api/authentication/:user". Since your class does not meet any GET routing parameter so POST makes a lot of sense to me – Dalorzo May 15 '14 at 19:42
  • @Dalorzo - it does "feel right", but you can send complex parameters on the query string. The Model Binder works just the same. – EBarr May 15 '14 at 22:03
  • @EBarr I know you can send complex parameter but that will required the URL routing also to exist for the complex object, it is what I meant – Dalorzo May 15 '14 at 22:08

2 Answers2

26

File this under learning something new every day!

Typically method name matching is thought of this way. Looking at the WebAPI source, however, there is a branch of logic for fallback. If the method name doesn't map (through attribute, or convention) to a supported HTTP verb, then the default is POST.

By default action selection happens through ReflectedHttpActionDescriptor class. The important method here is GetSupportedHttpMethods(). In relevant part the code reads:

        if (supportedHttpMethods.Count == 0)
        {
            // Use POST as the default HttpMethod
            supportedHttpMethods.Add(HttpMethod.Post);
        }

You can see the full source here (around the middle of the file).

Community
  • 1
  • 1
EBarr
  • 11,826
  • 7
  • 63
  • 85
  • Amazing now that we can see the source --I've learned more about webapi/mvc than I ever knew about WebForms :-) – EBarr May 15 '14 at 22:14
  • @EBarr, duly filed! Thank you for the clear explanation. I had no idea I could inspect the source, so it's two things I've learned today :) – djikay May 16 '14 at 12:38
  • Despite the existence of a default verb, I guess the right thing to do is to always include a way to easily deduce the verb for a particular method, either with the naming convention or with [HttpGet]-style attributes, and not rely on defaults to achieve one's desired effect. After all, readability is quite important for code maintenance. – djikay May 16 '14 at 12:42
  • I 100% agree -- don't make developers guess. – EBarr May 16 '14 at 13:14
20

In this special case, the default Http Verb is POST. In other scenarios, the default verb depends on the name of the action and other factors. Below is the algorithm quoted from asp.net:

HTTP Methods. The framework only chooses actions that match the HTTP method of the request, determined as follows:

  1. You can specify the HTTP method with an attribute: AcceptVerbs, HttpDelete, HttpGet, HttpHead, HttpOptions, HttpPatch, HttpPost, or HttpPut.

  2. Otherwise, if the name of the action (controller method) starts with "Get", "Post", "Put", "Delete", "Head", "Options", or "Patch", then by convention the action supports that HTTP method.

  3. If none of the above, the method supports POST.

http://www.asp.net/web-api/overview/web-api-routing-and-actions/routing-and-action-selection

naveen
  • 53,448
  • 46
  • 161
  • 251
Toan Nguyen
  • 11,263
  • 5
  • 43
  • 59
  • Although I've studied these MS articles from www.asp.net in great detail, I must admit I missed that bit. Thank you for bringing it to my attention. – djikay May 16 '14 at 12:43