Showing posts with label asp.net-web-api2. Show all posts
Showing posts with label asp.net-web-api2. Show all posts

Friday, August 5, 2022

[FIXED] How can I allow multiple domains in a .Net Web API with OAuth token authentication using CORS?

      , , ,      No comments   

Issue

We have a .Net Framework Web API, with Token based OAuth authentication, and are trying to make a call to it via an Exchange HTML Add-In. I wish to allow access to several domains, as we may be using several different apps to access it, but we do not wish to allow general (*) access, as it is a proprietary web API, so there is no need for it to be accessed beyond known domains.

I have tried the following in order to satisfy the pre-flight:

  • Add the Access-Control-Allow-Origin headers with multiple domains via <system.webServer> - this returns a "header contains multiple values" CORS error when including multiple domains
  • Adding the Access-Control-Allow-Origin headers with multiple domains via a PreflightRequestsHandler : Delegating Handler - same result

If I set these up with one domain, and used the config.EnableCors with an EnableCorsAttribute with the domains, it would add those on to the headers and give an error with redundant domains.

How can I set up my Web API with OAuth and CORS settings for multiple domains?


Solution

You can add the header "Access-Control-Allow-Origin" in the response of authorized sites in Global.asax file

using System.Linq;
        
private readonly string[] authorizedSites = new string[]
{
  "https://site1.com",
  "https://site2.com"
};

private void SetAccessControlAllowOrigin() 
{
  string origin = HttpContext.Current.Request.Headers.Get("Origin");

  if (authorizedSites.Contains(origin)) 
      HttpContext.Current.Response.AddHeader("Access-Control-Allow-Origin", origin);
}

protected void Application_BeginRequest() 
{
  SetAccessControlAllowOrigin();
}


Answered By - boubkhaled
Answer Checked By - Pedro (PHPFixing Volunteer)

Thursday, May 19, 2022

[FIXED] How to restrict character set for parameter binding?

      , ,      No comments   

Issue

I'm in a situation where I have to restrict a web service's character set for route values, query parameters and json body content to latin1.

I've played around with th econtent negotiator, but that one is just for response formatting.

I've tried replacing the supported encodings in the media formatters with one that throws on unexpected characters but when, for instance, the JsonMediaTypeFormatter does its ReadFromStream call, the effectiveEncoding parameter is already the latin1 one and the string is already garbled (I'm trying with some chinese characters).

What I actually want to happen is to create some BadRequest result whenever a wrong encoding gets specified or whenever a non-latin1 character shows up.

Could anybody give me a hint where to look fo the correct place to fix that? I'm sure there must be a better way than to do it all "manually" in a DelegatingHandler.


Solution

In the end I just replaced the media formatter with one that validates the string by using Encoding.GetBytes(...) before deserializing into an object.



Answered By - Volker
Answer Checked By - Clifford M. (PHPFixing Volunteer)

Total Pageviews

Featured Post

Why Learn PHP Programming

Why Learn PHP Programming A widely-used open source scripting language PHP is one of the most popular programming languages in the world. It...