Web API Notes
IoC
Singleton - Gives the same instance or each request - this can cause concurrency issues
Transient - Gives a new instance on each request
Scoped - Gives a new instance on each thread
Controller base classes
ControllerBase without view support, used for APIs for SPIs
Controller with view support, used for MVC architecture
Controller attributes
[ApiController] - This gives a few things including automatic FromBody mappings and model validation.
Security - Hash and Salt
Passwords are stored as a hash, but because matching passwords have the same hash, a salt is used when hashing. The salt needs to be stored too, but makes the password hash unique.
Security - Token Authentication
JWT (JSON Web Token) passed back after successful login verification
This this then used for subsequent requests.
The token has a time window in which it can be used.
This site can be used to look at the public part of the token. Tokens should not contain sensitive data.
To validate a token, it uses the Issuer Signing key that was used to create the token. Only the WebAPI knows this and it is kept safe internally. This is never passed to the outside world. The Web API middleware can be set up to protect the controllers against access with not valid token or a tampered token.
Security - Signing Key
It's important that these are not stored in version control. A command can be used to store these keys locally for development
>dotnet user-secrets set
Singleton - Gives the same instance or each request - this can cause concurrency issues
Transient - Gives a new instance on each request
Scoped - Gives a new instance on each thread
Controller base classes
ControllerBase without view support, used for APIs for SPIs
Controller with view support, used for MVC architecture
Controller attributes
[ApiController] - This gives a few things including automatic FromBody mappings and model validation.
Security - Hash and Salt
Passwords are stored as a hash, but because matching passwords have the same hash, a salt is used when hashing. The salt needs to be stored too, but makes the password hash unique.
Security - Token Authentication
JWT (JSON Web Token) passed back after successful login verification
This this then used for subsequent requests.
The token has a time window in which it can be used.
This site can be used to look at the public part of the token. Tokens should not contain sensitive data.
To validate a token, it uses the Issuer Signing key that was used to create the token. Only the WebAPI knows this and it is kept safe internally. This is never passed to the outside world. The Web API middleware can be set up to protect the controllers against access with not valid token or a tampered token.
Security - Signing Key
It's important that these are not stored in version control. A command can be used to store these keys locally for development
>dotnet user-secrets set
Comments
Post a Comment