I saw a route containing the token in an Asp.net project. I do not code in the backend but it is not looking safe. I am not sure whether to do such things.
[HttpGet("{id}/{token}")] `
...
If this is not good practice, how would I work with the HTTP-Headers? If I send the token with the Headers, how would/should I receive and work with the token?
Thank you guys.
No, this is not recommended at all. The token should be placed in the headers and you can access it for example with [FromHeader] binding, or in .net Core 2+ with
var token = Request.Headers["Authorization"];
No, that's not good practice.
Ususally you send the token in the Authorization header of your request, e.g.:
Authorization: Bearer eyJ.....
in your controller on backend side, you decorate methods or the whole controller with the [Authorize] attribute.
[Authorize]
[HttpGet]
...
A middleware will take care of the rest, which means it checks if the token is there and validates it and also sends a response when there's no token or an invalid/expired token. In your controller code, you don't need to handle the token directly. Here is a short introduction to the topic.
