1

I am working on a Asp.net web api project. I recently created an end point for documentation using config.Services.GetApiExplorer();

What is the best way to hide this endpoint in production and still make it available for all other developers in my team.

One way I could think of is to register a route using

#if debug

routes.MapRoute(
"documentation",
"documentation/help", 
new { controller = "apiexplorer", action
= "Index" }
);

#endif
Anurag
  • 307
  • 5
  • 9
  • 2
    could use a feature flags library to turn on for local dev in local config and turn off in prod config or dark launching – Luke Hutton Apr 26 '19 at 01:24
  • The way post phrased now is way too broad for SO as there are tons of options and opinions... If you have particular concerns about your approach - that would be more suitable. – Alexei Levenkov Apr 26 '19 at 02:43
  • @AlexeiLevenkov. I am looking for a way to solve this problem which is accepted to at least some developers . As of now its just my thoughts and it may have some issues . Should I rephrase the question to take inputs on m approach ? – Anurag Apr 26 '19 at 05:01
  • @LukeHutton .That is a nice suggestion. – Anurag Apr 26 '19 at 05:03

2 Answers2

5

There is two attribute could hide an API endpoint:

[ApiExplorerSettings(IgnoreApi = true)]
[NonAction]
public async Task<void> PrivateAPI()
{
...
}

But for your case, I probably create a new attribute to check the environment and apply that attribute to your controller method. Inject the 'IHostingEnvironment' class, then use .IsDevelopment() method.

Ted Zhang
  • 341
  • 2
  • 6
  • Definitely a better approach than mine . I will wait for some time before accepting this as answer – Anurag Apr 26 '19 at 05:08
0

I assume that your developers still need to have access to that endpoint even on production (for sanity checks, ... . the same as dev and staging environment). If that s the case, create a new Policy and put your developers (or any other person you want to expose your endpoint to) under that policy.

[Authorize(Policy = "JustDevelopersPolicy")]
public async Task<void> PrivateAPI()
{
...
}

FYI, It might change the response by calling that endpoint, so, if an unauthorized person calls it, they get 401 instead of 404

Ali Abdoli
  • 529
  • 5
  • 9