welcome to XRM blog

Keep in touch with latest CRM/ERP articles

To remain competitive your organisation must be efficient across the business process spectrum. To do so you need to take sound decisions based on a balance between the cost and risk. To do so you will be heavily dependent on your content management in itself needs...

image
Blog

Web API how to use web API and how to secure them in DNN

By Ishaan Sheikh on 8/9/2020

Why APIs?

In today’s world if we are using any service on the internet, we are consuming some sort of APIs in many ways. Even the article you are reading is coming as a response to an API request to our servers. 

Have you ever thought how you are able to see Google Maps on websites other than Google? That is where the APIs comes into picture.

When you see Google ads on different websites, Login with X on Y website, travel ticket booking applications which shows flights from multiple sources, all of these are also the response of an API request.

What is an API?

API stands for Application Programming Interface. It is an essential part of Software development. You can think of an API as a method which when called do some processing and returns a value.

APIs are the way of accessing information for different components of an application.

The APIs defines rules that must be followed in order to communicate effectively with system and get the required information.

What is a Web API?

An API that we can access over the internet using HTTP protocols is called a web API. A web API can be called using following methods – 

1. GET – Used when requesting data from server.
2. POST – Used when creating a new record on the server.
3. PUT – Used to update an item on the server.
4. DELETE – Used to delete an item from the server.

Benefits of using an API

There are a lot of benefits of using an API some of them are –

Code Sharing: We can share code between multiple websites or devices. For example, we can use the same Google map API in all our websites. And, we can consume same API for CRUD operation on website as well as on mobile app.

Flexibility: We can also make our API public so that other developers can use our API to build their custom applications. Best example of this is Google Map and Google auth API.

Easy Debugging: It is also easier to debug application since all the functionality are separated from each other in a modular fashion.

Integration: We can integrate an API to multiple platforms for example we can integrate CRM APIs to our own customized mobile app which can help us in data-sharing within both the applications.

Customizable: APIs are also customizable i.e. one can only get the data he wants by specifying parameters in the request object.

CORS: It also helps in sharing cross-origin data, i.e. data between multiple domains.

Best Practices for Web API development

There are some best practices that should be followed to make an easy to use web API. These are:

-  Endpoints should be descriptive like an endpoint to update a user should be something look like /users/:id , where :id should be replaced with appropriate user id.

-   Errors should be handled gracefully and should return proper standard status codes like 404, 500, etc.

-   A Web API should also allow filtering and pagination for a collection of objects like users, articles, products, etc.

-   Should be secure using any method like API tokens, JWT, etc.

-   Proper documentation is also an important part of API development, it should contain the endpoints description such as what type of data it accepts and sends back, what security parameters are required, etc.

-   Performance is also an important aspect of API development. Developer should also implement caching wherever required.

Web APIs in DNN

To make web API we use Services Framework in DNN. To enable web API in DNN we need to reference the following dlls –

-  DotNetNuke.dll

-  DotNetNuke.Web.dll

-  System.Net.Http.dll

-  System.Net.Http.Formatting.dll

-  System.Web.Http.dll

Now we need to access it via URL, so we need to register the controller class. To do so add the following code to the Components/RouteMapper.cs class.

using System;

using System.Collections.Generic;

using System.Linq;

using System.Web;

using DotNetNuke.Web.Api;

 

namespace Xrmlabs.Modules.ApiTest.Components

{

    public class RouteMapper : IServiceRouteMapper

    {

        public void RegisterRoutes(IMapRoute mapRouteManager)

        {

            mapRouteManager.MapHttpRoute("ApiTest", "default", "{controller}/{action}", new string[] { "Xrmlabs.Modules.ApiTest.Components" });

        }

    }

}

The RouteMapper class extends the IServiceRouteMapper class which helps in defining routes by which we can access the web API from the frontend.

Now we can start creating web APIs. Add the following code to the Components/FeatureController.cs class.

using System;

using System.Net;

using System.Net.Http;

using System.Web.Http;

using DotNetNuke.Web.Api; 

public class FeatureController : DnnApiController

{

        [HttpGet]

        public HttpResponseMessage GetData()

        {

            var data = "Test data from API";

            return Request.CreateResponse(HttpStatusCode.OK, data);

        }

}

Here the controller name is Feature which extends DnnApiController class. The HttpGet attribute defines that this method only accepts the GET requests, to make a method which accepts POST request we can replace this with [HttpPost].

To access the API go to the url ~/desktopmodules/<module-name>/API/<controller-name>/<method-name> you will see a string “Test data from API”.

Accessing URL Parameters

To accept URL parameters we can easily pass them as a parameters to the method as shown below –

        [HttpGet]

        public HttpResponseMessage GetData(int Id)

        {

            var data = "You passed: " + Id;

            return Request.CreateResponse(HttpStatusCode.OK, data);

        }

 

Securing the Web API

Security is important consideration when developing an API. An API should implement the best practices for security. Some of the possible threats are 

-   CSRF attack.

-   DOS attack

-   Broken authentication

-   Broken access control

Using built in authentication mechanism

DNN provides built-in authentication mechanism. We can implement authentication to an action using the DNNAuthorize attribute.

        [HttpGet]

        [DNNAuthorize]

        public HttpResponseMessage GetData()

        {

            var dt = "Test data from API";

            return Request.CreateResponse(HttpStatusCode.OK, dt);

     }

The above method is only accessible to the authorized users and prevents anonymous access to the API.

Protecting against CSRF

DNN has built-in functionality to prevent against CSRF (Cross-site request forgery). We can use a ValidateAntiForgeryToken attribute with the method which validates whether the CSRF token is received and valid or not.

        [HttpGet]

        [ValidateAntiForgeryToken]

        public HttpResponseMessage GetData()

        {

            var dt = "Test data from API";

            return Request.CreateResponse(HttpStatusCode.OK, dt);

     }

 

Preventing SQL injection attacks

DNN also allows us to validate the received data since it may contain some malicious content like HTML/scripts. By using ValidateInput attribute, we can prevent submitting harmful content.

Example client-side request

You can do a GET request normally like a ajax request. But to do a POST request or a request with CSRF protection enabled you have tomust pass the CSRF token along with the request headers.  

var sf = $.ServicesFramework(<%= ModuleId%>);

$.ajax({

 url: "<api-url>",

"beforeSend": sf.setModuleHeaders,

       "contentType": 'application/json; charset=UTF-8',

       "accepts": "application/json; charset=utf-8",

       "async": true,

       "success”:function(result){

       console.log(result);

}

});

After running above code, you will see the output something like below in your JavaScript console.

.Net
DotNetNuke
API In DotNetNuke
Dotnetnuke
Web API
Blog Calendar
Blog Calendar List
2020 Sep  14  3
2020 Aug  18  3
2020 Jul  9  1
2020 Jun  21  3
2020 Apr  12  3
2020 Mar  11  2
2020 Feb  22  5
2020 Jan  22  7
2019 Dec  15  4
2019 Nov  11  1
2019 Jan  31  3
2018 Dec  33  4
2018 Nov  66  3
2018 Oct  12  3
2018 Sep  237  11
2018 Aug  6  2
2018 Jun  11  1
2018 Jan  54  2
2017 Sep  552  5
2017 Aug  17  1
2017 Jul  17  2
2017 Jun  52  2
2017 May  21  1
2017 Apr  33  2
2017 Mar  118  4
2017 Feb  433  4
2016 Dec  178  3
2016 Nov  385  8
2016 Oct  247  10
2016 Sep  362  6
2016 Aug  39  1
2016 Jun  1771  6
2016 May  104  3
2016 Jan  70  2
2015 Dec  392  6
2015 Nov  4  1
2015 Oct  13  1
2015 Sep  1345  6
2015 Aug  13  1
2015 Jul  126  2
2015 Jun  10  1
2015 May  20  1
2015 Apr  28  3
2015 Mar  78  3
2015 Jan  5223  4
2014 Dec  17  1
2014 Nov  2219  4
2014 Oct  63  1
2014 Sep  106  2
2014 Aug  4252  1
2014 Jul  46  2
2014 Apr  2468  12
2014 Mar  288  19
2014 Feb  237  8
2014 Jan  1510  16
2013 Dec  21  2
2013 Nov  640  2
2013 Oct  250  3
2013 Sep  11  1
2013 Aug  38  3
2013 Jul  208  1
2013 Apr  49  6
2013 Mar  1861  10
2013 Feb  309  4
2013 Jan  265  2
2012 Nov  35  2
2012 Oct  456  10
Tag Cloud
Interested in our services? Still not sure about project details? get a quote