Reputation: 5167
I currently have an ASP.NET MVC and ASP.NET WEB API 2 project (both types of controllers are included in the same project).
I want to ensure that a user cannot directly make a call to the Web Api and get raw data (such as http://domain/api/myaction). However, the Api methods should have the ability to be called by jquery via AJAX, and MVC Controller Actions should also be able to call the Web Api Actions (in cases where the initial View should be rendered with some data that came from the API).
What is the best approach to do something like this, or am I looking at this the wrong way?
Upvotes: 0
Views: 142
Reputation: 1964
There is no difference between Ajax call and "direct" call. What you should do in any case of actions controller, is validate the request via token or whatever authentication method you have established.
If you are using Microsoft authentication you only need to add the [Authorize] tag above your controller/action.
https://msdn.microsoft.com/en-us/library/system.web.mvc.authorizeattribute(v=vs.118).aspx
Upvotes: 2