I'm currently developing a side-project, which will consist of a Database, Web API, and then different Apps on top which consume the restful API.
I've started thinking about User accounts and how to make these secure. Currently, as a standard, I have the following model in the Data Layer:
public int Id { get; set; }
public string Username { get; set; }
public string Full_Name { get; set; }
public string Password { get; internal set; }
public string Salt { get; internal set; }
Now, obviously, when someone makes a request for /Users/{id}, the User associated with that Id is returned. However, I don't want to return the Password or Salt, so really don't want those to be part of the User model.
I have toyed with the idea of creating a different, internal-only model for UserDetails, and shipping the Password/Salt, etc off into that. However, I hit the snag of, when signing up to the service, how do I get a desired password from the user to the API?
There's probably a really simple implementation of what I want to do, but I can't think of one right now. Any help would be greatly appreciated!
You should use a special view model without the password property for this purpose. Then inside your API you will map between your data model and the view model and return the view model out from your Web API method. Same stands true for the Salt property as well.