Authorize request in ASP.NET Web API based on specific user

Question

I followed this tutorial http://www.tugberkugurlu.com/archive/api-key-authorization-through-query-string-in-asp-net-web-api-authorizationfilterattribute to create custom Authorization filter.

I have CarController with my custom Authorize Attribute: [ApiKeyAuth("apiKey", typeof(ApiKeyAuthorizer))]

I send two parameters in the url .. host/Car/4?username=xxx&pass=xxx It works basically fine, however I want to allow only car owners to see information about their cars. E.g. user ABC can see only host/Car/5 and user DEF can see host/Car/6 and host/Car/10 how can I solve this scenario? How can I access the id of the car used in query (host/Car/ID) in my ApiKeyAuthorizer.

Greetings

Answer 1

If you look at his code, https://github.com/tugberkugurlu/ASPNETWebAPISamples/tree/master/TugberkUg.Web.Http/src/samples and https://github.com/tugberkugurlu/ASPNETWebAPISamples/tree/master/TugberkUg.Web.Http/src/TugberkUg.Web.Http, I think you'll find that he's pulling the data directly from the query string. It should simply be a matter of extending that method to pull in the id parameter. You might also want to look at the RequestContentKeyValueModel on the HttpActionContext parameter passed into the OnAuthorization method. The documentation is sketchy and I haven't played with it yet, but that seems like a likely candidate to me. However, the route data is available indirectly through the HttpRequestMessage via an extension method, specifically:

message.GetRouteData();