Protect custom endpoints
Before we start: This section requires Ucommerce to be install through nuget
Our developers has done an amazing job securing our endpoints. Why not let you take advantage of our headless client security features for your own endpoints?
Follow this guide and let us show you how easy it is 🚀
In the code below you see three examples of how to secure your custom endpoints. Two of them are secured with Bearer
authentication and one is secured with Basic
authentication. DoSomethingWithAuthentication
and DoSomethingWithExplicitAuthentication
are secured with Bearer
authentication.
To use this you will need to obtain an access_token
, click here to learn how.
With an access_token
you should only do things for one store, if you need the storeId
you can use our FromClaim
attribute in the controller and it will reveal the storeId
.
NOTE To use this authentication you will have to pass a header called
Authorization
, with the valueBearer <access_token>
in all your REST requests.
The easiest but less secure way of protection is to use Basic
authentication. In DoSomethingWithBasicAuthentication
you can see how to obtain that functionallity.
If you want to use Basic
authentication, the Authorization header uses Basic HTTP Authentication scheme (which is defined in rfc7617). In other words, the value of the header is Basic {"
public string GenerateBasicAuthorizationHeaderValue(string clientId, string clientSecret) { string credentials = $"{clientId}:{clientSecret}"; byte[] credentialsByteData = Encoding.GetEncoding("iso-8859-1").GetBytes(credentials); string base64Credentials = Convert.ToBase64String(credentialsByteData); return $"Basic {base64Credentials}"; }
Examples on how to secure an endpoint:
[RoutePrefix("api/v1")] public class Authentication : ApiController { [HttpGet] [HttpPost] [HttpPut] [Ucommerce.Headless.Authentication.Authorize] public IHttpActionResult DoSomethingWithAuthentication() { return Ok(); } [HttpGet] [HttpPost] [HttpPut] [Ucommerce.Headless.Authentication.Authorize(AuthenticationSchemes = HeadlessConstants.TokenTypes.BASIC_SCHEME)] public IHttpActionResult DoSomethingWithBasicAuthentication() { return Ok(); } [HttpGet] [HttpPost] [HttpPut] [Ucommerce.Headless.Authentication.Authorize(AuthenticationSchemes = HeadlessConstants.TokenTypes.BEARER_SCHEME)] public IHttpActionResult DoSomethingWithExplicitAuthentication([FromClaim(Name = HeadlessConstants.ClaimTypes.CLIENT_ID)] string store) { return Ok(); } }
NOTE This security feature is going to change in later versions of Ucommerce.