Search code examples
asp.net-mvc-4asp.net-web-apiodataroleprovideruser-roles

How to use a MVC WebAPI OData endpoint securely?

I have an OData endpoint defined at ~/odata/, which doesn't need to be accessed unless a user has been authenticated (in fact, how would you secure this for non-authenticated users).

I setup role-based authentication to this path in the web.config with:

  <location path="odata">
    <system.web>
      <authorization>
        <allow roles="WaitConfirmation, etc...."/>
      </authorization>
    </system.web>
  </location>

When a user logs in, I don't use the OData endpoint for authentication (primarily because I need to figure out how to secure this).

I use EntityFramework to validate the user, return the user object, and hydrate the membership/role details.

Is this the standard method to follow to allow users' data calls to go through WebAPI paths, and if so, how do you ensure that any requests WebAPI requests (remember, I'm using OData) only return data related to the logged in user?

I have only read about "securing" OData services by means of decorating controller methods (ie. [Queryable(PageSize=10)]) in order to limit DOS attacks, etc, but not how to ensure that a if a common parameter, (ie. UserID=[this logged in user id]) is not included, to include it on all EF requests.

Solution

  • So the major hurdle to get past is thinking that all WebAPI requests (using the OData syntax) are stateless. Of course, in a stateless environment this makes this more difficult.

    However, with the WebAPI endpoint secured through web.config requiring an authenticated (stateful) request, we should be able to grab the UserName (or UserID or any other custom property when using a custom membership provider), by something like var userId = ((CustomIdentity)HttpContext.Current.User.Identity).UserId.

    Once this is established, we will need to add something like "WHERE UserID = userId;" before the request is issued:

            var unitOfWork = new Repository.UnitOfWork(_db);

        var users = options.ApplyTo(unitOfWork.Repository<MyTable>().Queryable
            .Include(w => w.NavigationProperty1)
            .Where(u => u.UserId == UserContext.Identity.UserId)
            .OrderBy(o => o.SomeProperty))
            .Cast<MyTable>().ToList();

    Additional suggestions welcome.