Reputation: 535
ASP.NET Core Data Protection API with Angular Front End
I am currently developing an SPA web application using an Angular 8 Front End and an ASP.NET Core Back End. I am using the .NET Core Data Protection Api to protect IDs of objects before I return them back to the angular client. I have a page in my application that makes a call to the Api to retrieve "Categories".
Each category in the List of categories that are returned have an "Id" property that is a protected string (protected using .NET Core Data Protection Api). These categories are the datasource to a dropdown list on the page. The "Id" property is the "value" attribute of each option in the dropdown list.
On the same page I have another api call to get the logged in users' selected category. This category is the same object as the "categories" mentioned above (along with the protected Id property).
What I want to do now is to set the selected value of the dropdown list with the "selected category" for the user. Since I am using the Data Protection Api the encrypted ids in the dropdown list are all going to be different from the "selected category" id and none of them will match the "selected category" id for the user. So at this point, I have no way to select the option in the dropdown list.
So the question is, using the .NET Core DataProtection Api, how can I accomplish making separate Api calls and within each call making sure that when I protect a particular integer value, the resulting protected strings (if the ids are the same) are identical, so I can successfully compare the two on the client.
Upvotes: 0
Views: 720
Answers (1)
Reputation: 19901
I would not use the Data Protection API to encrypt/secure integer values at runtime. That will not give you a very good performance. A better option is to have in your database, for example a GUID-column, that you use in the frontend, and internally you use the integer ID.
So basically, add a new column and set it with a GUID and use that as your category id to the users of the API.
I don't understand why you need to encrypt your ID-values for a dropdown box. What is the attack vector that you try to prevent?
Because with proper input validation and authentication/authorization checks on the backend, this should never be an issue. I have never seen anyone needing to encrypt ID-values to present to the user like you describe.
One thing can be to for example use GUID's to represent items (like categories, userID's, resourceID's) to prevent enumeration attacks. But this is not encryption.
Upvotes: 1
Related Questions
- Secure SPA in .Net Core WebApi + Angular project
- Securing ASP.Net Core Web API and Angular App using MSAL
- Anti forgery with token API and angular
- ASP.NET Core Data Protection on Web Farm
- Allowing api request only from SPA
- How to correctly protect API in STS Asp.Net 2.2 project + Api Asp.Net 2.2 project + angular7 client
- ASP.Net Core Data Protection API in Azure Web App
- Angular.js SPA security with ASP.NET MVC and WebApi
- Securing .NET JSON Web Api Service Consummed by AngularJS
- How to secure my AngularJS and Web Api application