Menu
Is there a way to require an API key in the URL / or some other way of passing the service a private key in order to grant access to the data?
I have this right now...
using System;
using System.Data.Services;
using System.Data.Services.Common;
using System.Collections.Generic;
using System.Linq;
using System.ServiceModel.Web;
using Numina.Framework;
using System.Web;
using System.Configuration;
[System.ServiceModel.ServiceBehavior(IncludeExceptionDetailInFaults = true)]
public class odata : DataService {
public static void InitializeService(DataServiceConfiguration config) {
config.SetEntitySetAccessRule("*", EntitySetRights.AllRead);
//config.SetServiceOperationAccessRule("*", ServiceOperationRights.All);
config.DataServiceBehavior.MaxProtocolVersion = DataServiceProtocolVersion.V2;
}
protected override void OnStartProcessingRequest(ProcessRequestArgs args) {
HttpRequest Request = HttpContext.Current.Request;
if(Request["apikey"] != ConfigurationManager.AppSettings["ApiKey"])
throw new DataServiceException("ApiKey needed");
base.OnStartProcessingRequest(args);
}
}
...This works but it's not perfect because you cannot get at the metadata and discover the service through the Add Service Reference explorer. I could check if $metadata is in the url but it seems like a hack. Is there a better way?
379
API keys provide project authorization They are generated on the project making the call, and you can restrict their use to an environment such as an IP address range, or an Android or iOS app. By identifying the calling project, you can use API keys to associate usage information with that project.
WEB API is a better choice for simpler, light weight services. WEB API can use any text format including XML and is faster than WCF. WEB API can be used to create full-blown REST Services. WEB API doesn't require any data contracts and doesn't require configurations to the level of WCF.
To configure an API method to require an API keySign in to the AWS Management Console and open the API Gateway console at https://console.aws.amazon.com/apigateway/ . Choose a REST API. In the API Gateway main navigation pane, choose Resources. Under Resources, create a new method or choose an existing one.
I would suggest using the authorization header to pass the apiKey instead of passing it in the query string. That's what it is there for and it help's to keep api keys out of log files.
I don't think there is anything really wrong with checking for the presence of '$metadata' in the url. You are writing the server side code, and the server owns the URI space, so making decisions based on text in the request url is what the server is all about. You could use something like,
if (requestUrl.Segments.Last().Replace('/','') != '$metadata')
instead of searching the entire uri string, if it makes it feel less icky!
128
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
