Reading every incoming request (URL) in ASP.NET WEB API

Question

I was using ASP.NET MVC framework. In this framework, we checked every incoming request (url) for some key and assigned it to a property. We created a custom class which derived from Controller class & we override OnActionExecuting() to provide our custom logic.

How can we achieve the same in ASP.NET WEB API?

//Implementation from ASP.NET MVC

public class ApplicationController : Controller
{       
    public string UserID { get; set; }

    protected override void OnActionExecuting(ActionExecutingContext filterContext)
    {
        if (!string.IsNullOrEmpty(Request.Params["uid"]))
            UserID = Request.Params["uid"];

        base.OnActionExecuting(filterContext);
    }    
}

What I have tried in ASP.NET WEB API: -- Though this is working, I wonder if this is the correct approach?

Created a base controller

public class BaseApiController : ApiController
    {
        public string UserID { get; set; }
    }

Created another class which inherits ActionFilterAttribute class & I override OnActionExecuting()

public class TokenFilterAttribute : ActionFilterAttribute
    {
       public override void OnActionExecuting(System.Web.Http.Controllers.HttpActionContext actionContext)
            {
                var queryString = actionContext.Request.RequestUri.Query;
                var items = HttpUtility.ParseQueryString(queryString);
                var userId = items["uid"];

                ((MyApi.Data.Controllers.BaseApiController)(actionContext.ControllerContext.Controller)).UserID = userId;


            }
  }

Now register this class

public static void Register(HttpConfiguration config)
{
    config.Filters.Add(new TokenFilterAttribute());
} 

Answer 1

You can use message handlers from ASP.NET Web API. It is a typical security scenation, when you need to get some user token from query string, URL or HTTP Header

http://www.asp.net/web-api/overview/advanced/http-message-handlers

1.When you need simply to extract userId from URL, then use it as parameter for your Api method and ASP.NET WebAPI will do work for you, like

[HttpGet, Route("{userId}/roles")]      
public UserRoles GetUserRoles(string userId, [FromUri] bool isExternalUser = true)

It work for such request

http://.../15222/roles?isExternalUser=false

2.If it is security scenario, please refer to http://www.asp.net/web-api/overview/security/authentication-and-authorization-in-aspnet-web-api Basically you will need some MessageHandler or you can use filter attributes as well, it is mechanism in ASP.NET Web API to intercept each call.

If you need to process each request then MessageHandler is your way. You need implement MessageHanler and then register it.

To say easily, typical MessageHandler is class derived from MessageHandler or DelegatingHandler with SendAsync method overriden:

class AuthenticationHandler : DelegatingHandler
{
    protected override Task<HttpResponseMessage> SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
    {
        // Your code here
        return base.SendAsync(request, cancellationToken);
     }
}

And you need register it 

static class WebApiConfig
{
    public static void Register(HttpConfiguration config)
    {                   
        // Other code for WebAPI registerations here
        config.MessageHandlers.Add(new AuthenticationHandler());            
    }
}

and call it from Global.asax.cs

WebApiConfig.Register(GlobalConfiguration.Configuration);

Some example dummy hypotetical implementation of such handler (here you need to imeplement your UidPrincipal from IPrincipal and UidIdentity from IIdentity)

public class AuthenticationHandler : DelegatingHandler
{       
    protected override Task<HttpResponseMessage> SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
    {
        try
        {
            var queryString = actionContext.Request.RequestUri.Query;
            var items = HttpUtility.ParseQueryString(queryString);
            var userId = items["uid"];

            // Here check your UID and maybe some token, just dummy logic
            if (userId == "D8CD2165-52C0-41E1-937F-054F24266B65")
            {           
                IPrincipal principal = new UidPrincipal(new UidIdentity(uid), null);

                // HttpContext exist only when hosting as asp.net web application in IIS or IISExpress
                if (HttpContext.Current != null)
                {
                    HttpContext.Current.User = principal;
                }
                else
                {
                    Thread.CurrentPrincipal = principal;
                }
                return base.SendAsync(request, cancellationToken);
            }
            catch (Exception ex)
            {
                this.Log().Warn(ex.ToString());
                return this.SendUnauthorizedResponse(ex.Message);
            }
        }
        else
        {
            return this.SendUnauthorizedResponse();
        }
        }
        catch (SecurityTokenValidationException)
        {
            return this.SendUnauthorizedResponse();
        }
    }
}

And lets access it from some ASP.NET WebApi method or some property in WebAPI class

var uid = ((UidIdentity)User.Identity).Uid