1

My requirements

I have a Web API which gives me required data from the database. I have a .Net website which consumes this Web API to get all data. Now the requirement is to protect the APIs from being exposed to anyone on the web.

What I have done so far:

On the website:

I generate a token when the user logs in. This token holds the details like username, a random key and the expiration time of the token, all in an encrypted string.

On the API:

Upon every request, before sending the response, I decrypt the token and validate if the username, key and expiration time are valid. If all of them are valid, the response will be sent. Otherwise, an error message is sent in response. This is the function that I made changes in:

protected override Task<HttpResponseMessage> SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
        {
            AuthenticationHeaderValue authorization = request.Headers.Authorization;
            if (authorization != null)
            {
                if (Encryption.DecryptData(token).Equals(ConfigurationManager.AppSettings["TokenKey"].ToString()))
                {
                    //Send response
                }

            }
        }

Everything is good till here.

Now the problem is...

Let us say that I put an expiration time of 15 minutes for the token. The generated token hence can be used for 15 minutes after login to get responses from the API. This token can be used irrespective of the user's login status i.e, the token is valid for 15 minutes even if the user signs out immediately after logging in.

I have been brainstorming and searching for solutions for the past few days and I came across the thought of handling the data in sessions but found later that it is a bad idea with respect to scalability.

There are also constraints that I cannot use OWIN. Additionally, the project is not MVC, it is a Web API project.

Can someone please come to my rescue and point me towards a solution? I'll be grateful as this has already consumed a lot of time.

Ravi Kiran
  • 565
  • 1
  • 8
  • 22

2 Answers2

0

You can't invalidate token. If user have token, than He is logged in. I had this problem, when i had to invalidate tokens, and any workaround i found dosn't work in your situation. how-to-force-invalid-bearer-token-in-web-api

If user has valid token, then he is as good as loged in. When he log out, you can only clear he's cookie with token. It's not a bug, it's a feature ;)

Best solution is to accept this and don't worry about what user want to do with his token.

garret
  • 1,134
  • 8
  • 16
-1

You might be storing the token details somewhere (an SQL database maybe) in order to validate it in the API. Why not add a bit field "Enabled" in the database which is set to 0 when the user logs out then have the API check that field as part of the validation as well as checking the user, token and expiry time.

SBFrancies
  • 3,987
  • 2
  • 14
  • 37
  • 2
    Whats the point of using tokens if You want to check db for every request auth? – garret Jan 16 '18 at 13:40
  • @garret +1. Using this approach only worsens the operation time as I have to ping the database on each request and wait for it's response and then the original API response follows. – Ravi Kiran Jan 16 '18 at 13:48