ASP.NET Web API in Azure: Customize authentication filter to prevent brute force? -
i've got website vs2013 spa template (web api 2.2) leverages asp.net identity 2.1, , works well. controller methods this:
[authorize] public api.models.widget get(int widgetid) { var requestinguserid = int32.parse(microsoft.aspnet.identity.identityextensions.getuserid(user.identity)); ... }
it works expected:
unauthorized users aren't granted access after authorized user gets in, can obtain user idbut i want modify application prevent excessive api requests. plan check see if particular userid had made number of requests within timeframe. i'm looking suggestions best place this.
i not have repeat logic in every controller, , seems action filter might best place. need read userid , i'm not sure if order of filters guaranteed, may create sense, if possible, derive filter beingness called authorization , add together logic.
i'm wondering if give illustration of doing similar? seems instead of "authorize", in custom authentication filter, , i'm not sure how tie together.
thanks suggestions...
there several filter options:
authorization filter makes security decisions whether execute action method, such performing authentication or validating properties of request.
example:
public class webapiauthorizeattribute : authorizeattribute { public override async task onauthorizationasync(httpactioncontext actioncontext, cancellationtoken cancellationtoken) { base.onauthorization(actioncontext); guid userid = new guid(httpcontext.current.user.identity.getuserid()); // ...here validation logic } }
action filter wraps action method execution. filter can perform additional processing, such providing info action method, inspecting homecoming value, or canceling execution of action method
to minimize impact on server, can cache http request in user browser predefined time, if user request same url in predefined time response loaded browser cache instead of server. outputcache attribute not available web api, can utilize this output caching in asp.net web api post alternative or may implement own action filter attribute caching:
public class cachefilterattribute : actionfilterattribute { /// <summary> /// gets or sets cache duration in seconds. default 10 seconds. /// </summary> /// <value>the cache duration in seconds.</value> public int duration { get; set; } public cachefilterattribute() { duration = 10; } public override void onactionexecuted(filterexecutedcontext filtercontext) { if (duration <= 0) return; httpcachepolicybase cache = filtercontext.httpcontext.response.cache; timespan cacheduration = timespan.fromseconds(duration); cache.setcacheability(httpcacheability.public); cache.setexpires(datetime.now.add(cacheduration)); cache.setmaxage(cacheduration); cache.appendcacheextension("must-revalidate, proxy-revalidate"); } }
additional considerations
once user makes phone call against web api, have add together +1 counter , utilize counter check massive calls same user in timeframe. problem here store counter.
if store counter in rdbms sql server, every user phone call perform db access. become performance problem. storage should lite weight possible. using nosql db might approach.
asp.net asp.net-web-api asp.net-identity asp.net-web-api2 asp.net-authorization
No comments:
Post a Comment