1

System will generate a URL and send to customer mobile / email.

When the user click the URL link, it should call the web api service to get some data and display. But my web api service will not allow any requests without credentials in the header.

At the same time I can't pass the credentials in the generated URL. How can handle this? Also I can't ignore authentication for this api alone.

Edit: ( Edited the question because its reported as too broad)

Is there any way I can generate authentication key and which can be validated in server side? I can't have any static API key to validate because I may need to configure it in frontend which end with security issue?

King_Fisher
  • 1,171
  • 8
  • 21
  • 51
  • Best way is to redirect user to login page, and after login redirect user to link specified in email – Djuro Jan 29 '19 at 11:48
  • No we cant redirect login page as per the functionality – King_Fisher Jan 29 '19 at 11:54
  • So you can't pass along credentials, or any form of authentication, in the url, and the api requires credentials passed in the header. Then it is simple, you can't do it. Is there no way for you to pass along something in the url that can be used to verify that it is correct, and relax the authentication-in-the-header requirement for this particular api endpoint? – Lasse V. Karlsen Jan 29 '19 at 13:04
  • Also, the concept seems wrong if the url is to the api and the api should return data to display, the api should return data, it should not be responsible for serving html and css, which means the link should be to your frontend, which would then make the request to your backend. (you will still have the problem with authentication though) – Lasse V. Karlsen Jan 29 '19 at 13:07
  • Please elaborate on what kind of options you think would be acceptable, even if you don't know how to implement it, as currently you've said that rules you have decided upon prevent you from solving this at all, in other words, this is basically impossible unless you relax some requirements. – Lasse V. Karlsen Jan 29 '19 at 13:20
  • The server will not respond the HTML content, the frontend will request and service will provide necessary data and frontend will render it in html – King_Fisher Jan 29 '19 at 14:06
  • Is there any way I can generate authentication key and which can be validated in server side? I can't have any static API key to validate because I may need to configure it in frontend which end with security issue? – King_Fisher Jan 29 '19 at 14:08

1 Answers1

1

You could create some sort of sessions mechanism, each time generate guid for user and put it on cache (duplicate to database to avoid losing it if cache fail) for about 1 day or whatever time you need and then authorize users by this id on the server side. Your url will look like 

https://example.com/[generated session guid]
Eugene Chybisov
  • 1,634
  • 2
  • 23
  • 32
  • better to save that key in database. Sessions can be lost "easily". – Djuro Jan 29 '19 at 12:05
  • @Djuro corrected the answer, we still need cache to reduce the load on the database – Eugene Chybisov Jan 29 '19 at 12:10
  • Thanks,I have updated the question – King_Fisher Jan 29 '19 at 14:20
  • “*we still need cache to reduce the load on the database*” - this seems like a premature optimisation which may or may not be necessary. There’s no reason to add this complexity until you’ve profiled and found it offers a significant performance improvement. – MTCoster Jan 29 '19 at 14:37