0

I have a Web API endpoint that accepts a GET request with two parameters.

[AllowAnonymous]
[Route("user/{username}/{password}")]
[HttpGet]
public async Task<IHttpActionResult> GetUser(string username, string password)
{
    // Lookup user
    var user = await this.AppUserManager.FindAsync(username, password);

    if (user != null)
    {
        return Ok(this.TheModelFactory.Create(user));
    }

    return Content(HttpStatusCode.NotFound, "User not found");
}

This method works fine except in cases where the password ends in a period (.). In these cases I get the following error Server Error in '/' Application.. I ended up changing the method to POST and passed the UserName and Password in the body. Why is a trailing period crashing the API? I would have preferred to use GET as I felt it was more appropriate.

I tried the suggestion in this SO posting but still no luck.

<system.webServer>
  ....   
  <rewrite>
    <rules>
      <rule name="Add trailing slash" stopProcessing="true">
        <match url="^(api/employees/.*\.[a-z]{2,4})$" />
        <action type="Rewrite" url="{R:1}/" />
      </rule>
    </rules>
  </rewrite>
</system.webServer>
Community
  • 1
  • 1
webworm
  • 10,587
  • 33
  • 120
  • 217
  • 3
    Putting the password in the url is a very bad idea. – vtortola Sep 30 '16 at 19:41
  • If using HTTPS it shouldn't be a problem.I more interested in finding out why the period is causing an issue, – webworm Sep 30 '16 at 19:46
  • @webworm it **is** a problem because the URL from GET requests end up in logs, and *you* should never know a user's password. Your actual question is valid, it's just the password in a URL that's bad... – David_001 Sep 30 '16 at 20:18
  • When you say you tried that specific rewrite - what exactly did you try? Because that snippet won't work in your scenario at all, so I guess you actually did something else, which could be where the issue is? – David_001 Sep 30 '16 at 20:23

0 Answers0