2

I have an MVC Application, which allows logged-in users to perform CRUD operations according to their Roles. I have handled authentication and authorization for the MVC App (with OWIN).

I have Web APIs within the same project which are mostly used to handle delete requests(Ajax) originate from list item views (MVC).

Sample list items (MVC) view

I have decorated Web API Controller Actions with [Authorize] attribute as sample code below

[HttpDelete]
[Authorize(Roles=UserRoles.Admin)]
 public IHttpActionResult Delete(int id)

I have not implemented token based authentication/authorization and I am not setting any authorization headers in Ajax requests (or pass any cookie values)

 $.ajax({
     url: "/api/productCategories/" + id,
         method: "DELETE"
     })
     .done(done)
     .fail(fail);

But the authorization works properly, only the authorized users can call the relevant endpoints.

How does it work? Does this mean token based authorization is not needed if the Web API, MVC App, and client app are in the same project? Or else What is the best way to implement Authorization? What about the Cross-site Scripting (XSS) issues?

Prasad De Silva
  • 836
  • 1
  • 12
  • 22
  • 3
    I imagine that your authentication is cookie based. When you do an ajax request with jquery it includes cookies of the domain in the request. – J.Loscos Apr 11 '18 at 13:59
  • Yes it is cookie based, does that mean I don't have to implement token based auth? or is there a better way? – Prasad De Silva Apr 11 '18 at 14:07
  • yeah there are multiple ways you can do authorisation. Microsoft has plenty of documentation on the various options. "Better" is what suits your use case, there is no one "better" thing, if there was, no-one would use the other methods. – ADyson Apr 11 '18 at 14:16
  • 2
    Because the two apps are in the same project, they share the same domain and the same machinekey. So the web api app can decrypt the mvc app auth cookie without any additionnal configuration. So if you only plan on calling this web api from the pages of the mvc app you don't need a token based auth. If you worry about Cross-site scripting, you will have to add an antiforgery token to the request and validate it in the web api. (There is no ValidateAntiforgeryAttribute in web api) you can take a look at https://stackoverflow.com/questions/11476883/web-api-and-validateantiforgerytoken – J.Loscos Apr 11 '18 at 14:19
  • Yes, understood, But I am more worried about cookie expiration. So I can implement token based authentication, but I am not clear how to obtain the token for the jQuery app since the user is already logged in to the MVC (main) app. – Prasad De Silva Apr 11 '18 at 14:37
  • well, tokens expire as well, so how do you think that will help? You can refresh them, sure, but then again you get set a long expiry date on a cookie if you wish. – ADyson Apr 11 '18 at 14:42
  • If the token is expired I will get 401 error, but if the cookie is expired, I do not get any respond. Default configuration is to redirect unauthorized requests to the login page, so for the Ajax requests there is no respond. So I assume I have to override HandleUnauthorizedRequest() of the AuthorizeAtribute class to handle Ajax requests. – Prasad De Silva Apr 11 '18 at 15:08

0 Answers0