0

[Not sure if this is the right place to ask this. If this question belongs on a different SO forum, please let me know.]

I am designing a web page that has a list of items which the user can drag up or down in the list. The user can also add new items to the list or delete items from the list. FWIW, I'm doing this in ASP.Net Core.

So, as the user interacts with the list, JS in the browser wants to call back to the server to tell it about list modifications. My two options (I think) are to call either Ajax or REST API endpoints on the server. Both schemes result in an asynchronous round-trip to the server, with a return value that indicates success or failure.

As I understand things, Ajax has the advantage that it comes with user authentication baked in. That is, I can easily enforce the notion that the caller must be an authenticated (logged in) user (the Ajax endpoint is no different than any other Controller GET or POST endpoint in this respect). The only real downside to using Ajax that I can think of is having to dream up a bunch of endpoint names for all of the various functions I need to expose. The bigger issue is that using Ajax for this just smells wrong to me.

A collection of REST API endpoints, on the other hand, come with some nifty semantics that make code maintenance and testing a bit easier to manage. But from what I've read, RESTful calls don't understand the concept that the caller has previously authenticated itself and owns a cookie to prove that.

As you can tell, I'm new to the world of REST APIs. I may be totally wrong about my assumptions around authentication and REST APIs. If that problem really is easy to work around, could some kind person post a simple example to lead me on my way...

Bob.at.Indigo.Health
  • 11,023
  • 13
  • 64
  • 111

3 Answers3

0

if I understand right you can use Signal R https://dotnet.microsoft.com/apps/aspnet/real-time its used for asynchronous notifications to client-side web applications

Yefet
  • 2,010
  • 1
  • 10
  • 19
0

I agree that Restful APIs are testable and maintainable.

You can use JWT authentication for securing your Restful APIs, and it can be configured to return the bearer token only if the user is logged in.

And you can write your own ExtendAuthorizationFilter and register it into Startup.cs file.

 services.AddMvc(
                options => options.Filters.Add(new ExtendAuthorizationFilter())
            ).SetCompatibilityVersion(CompatibilityVersion.Version_2_1);

and

public class ExtendAuthorizationFilter : IAsyncAuthorizationFilter
    {
        public Task OnAuthorizationAsync(AuthorizationFilterContext context)
        {
           //Your code here
        }
    }

here is JWT sample implementation with jQuery ajax.

Jitan Gupta
  • 454
  • 6
  • 18
  • Thank you for pointing me at JWT. That's just the keyword I needed to finally find (lots of) stuff online about securing API calls. After digging into it for a day, I realize that using a REST API with JWT authentication means that I need to do a bunch of work to create a JWT, give it to my client, decode the JWT in the API call... it's easier and less error prone to just call an Ajax endpoint and use the existing authentication machinery. – Bob.at.Indigo.Health Apr 01 '19 at 14:30
0

I do something very similar in several places and use AJAX calls to my Controller Actions. You can get back pretty much anything you want from raw JSON to fully-rendered partial views and more. You have much better security (for the amount of time put in) than an API as well.

An upside to an API, if applicable, is if you want it to have public endpoints.

Steven Frank
  • 551
  • 3
  • 16
  • So, I asked a fuzzy question and I got two equally fuzzy answers. I got one answer that says "use Ajax", and another that says "use REST". After a day spent digging into securing REST endpoints with JWTs, I have to agree with this answer. I'll use Ajax and let the built-in middleware do my authentication for me. – Bob.at.Indigo.Health Apr 01 '19 at 14:18