Reputation: 1613
Web API - Token
My MVC application makes access to my WEB API.
To access the WEB API is absolutely necessary to inform a "token".
There is a button in the WEB API that generates the token.
How to make the Web API application only accepts the token generated by MVC application without using database?
I did the MVC generate the token (a GUID + date) and pass this token to the Web API to validate if the date is within a period of 30s. If within the period I consider that the token is valid.
byte [] data = Convert.FromBase64String ( token) ;
When DateTime = DateTime.FromBinary ( BitConverter.ToInt64 (date, 0 ) ) ;
if (when < DateTime.UtcNow.AddSeconds (-30 ) )
{
return false;
}
This works, however, any GUID that was reported concatenated with a date will be valid. I need to make my web API knows exactly which token was generated by the MVC application.
Upvotes: 2
Views: 365
Answers (1)
Reputation: 643
You could use a two-way hash to encrypt the token, then decrypt it server side. Or to put it another way, manipulate the string in manner that is non-obvious, then perform the opposite operation server side. This will prevent someone from spoofing your token. This question has a lot of details.
Upvotes: 1