welcome to XRM blog

Keep in touch with latest CRM/ERP articles

To remain competitive your organisation must be efficient across the business process spectrum. To do so you need to take sound decisions based on a balance between the cost and risk. To do so you will be heavily dependent on your content management in itself needs...

image
Blog

Web API how to use web API and how to secure them in DNN

By Ishaan Sheikh on 8/9/2020

Why APIs?

In today’s world if we are using any service on the internet, we are consuming some sort of APIs in many ways. Even the article you are reading is coming as a response to an API request to our servers. 

Have you ever thought how you are able to see Google Maps on websites other than Google? That is where the APIs comes into picture.

When you see Google ads on different websites, Login with X on Y website, travel ticket booking applications which shows flights from multiple sources, all of these are also the response of an API request.

What is an API?

API stands for Application Programming Interface. It is an essential part of Software development. You can think of an API as a method which when called do some processing and returns a value.

APIs are the way of accessing information for different components of an application.

The APIs defines rules that must be followed in order to communicate effectively with system and get the required information.

What is a Web API?

An API that we can access over the internet using HTTP protocols is called a web API. A web API can be called using following methods – 

1. GET – Used when requesting data from server.
2. POST – Used when creating a new record on the server.
3. PUT – Used to update an item on the server.
4. DELETE – Used to delete an item from the server.

Benefits of using an API

There are a lot of benefits of using an API some of them are –

Code Sharing: We can share code between multiple websites or devices. For example, we can use the same Google map API in all our websites. And, we can consume same API for CRUD operation on website as well as on mobile app.

Flexibility: We can also make our API public so that other developers can use our API to build their custom applications. Best example of this is Google Map and Google auth API.

Easy Debugging: It is also easier to debug application since all the functionality are separated from each other in a modular fashion.

Integration: We can integrate an API to multiple platforms for example we can integrate CRM APIs to our own customized mobile app which can help us in data-sharing within both the applications.

Customizable: APIs are also customizable i.e. one can only get the data he wants by specifying parameters in the request object.

CORS: It also helps in sharing cross-origin data, i.e. data between multiple domains.

Best Practices for Web API development

There are some best practices that should be followed to make an easy to use web API. These are:

-  Endpoints should be descriptive like an endpoint to update a user should be something look like /users/:id , where :id should be replaced with appropriate user id.

-   Errors should be handled gracefully and should return proper standard status codes like 404, 500, etc.

-   A Web API should also allow filtering and pagination for a collection of objects like users, articles, products, etc.

-   Should be secure using any method like API tokens, JWT, etc.

-   Proper documentation is also an important part of API development, it should contain the endpoints description such as what type of data it accepts and sends back, what security parameters are required, etc.

-   Performance is also an important aspect of API development. Developer should also implement caching wherever required.

Web APIs in DNN

To make web API we use Services Framework in DNN. To enable web API in DNN we need to reference the following dlls –

-  DotNetNuke.dll

-  DotNetNuke.Web.dll

-  System.Net.Http.dll

-  System.Net.Http.Formatting.dll

-  System.Web.Http.dll

Now we need to access it via URL, so we need to register the controller class. To do so add the following code to the Components/RouteMapper.cs class.

using System;

using System.Collections.Generic;

using System.Linq;

using System.Web;

using DotNetNuke.Web.Api;

 

namespace Xrmlabs.Modules.ApiTest.Components

{

    public class RouteMapper : IServiceRouteMapper

    {

        public void RegisterRoutes(IMapRoute mapRouteManager)

        {

            mapRouteManager.MapHttpRoute("ApiTest", "default", "{controller}/{action}", new string[] { "Xrmlabs.Modules.ApiTest.Components" });

        }

    }

}

The RouteMapper class extends the IServiceRouteMapper class which helps in defining routes by which we can access the web API from the frontend.

Now we can start creating web APIs. Add the following code to the Components/FeatureController.cs class.

using System;

using System.Net;

using System.Net.Http;

using System.Web.Http;

using DotNetNuke.Web.Api; 

public class FeatureController : DnnApiController

{

        [HttpGet]

        public HttpResponseMessage GetData()

        {

            var data = "Test data from API";

            return Request.CreateResponse(HttpStatusCode.OK, data);

        }

}

Here the controller name is Feature which extends DnnApiController class. The HttpGet attribute defines that this method only accepts the GET requests, to make a method which accepts POST request we can replace this with [HttpPost].

To access the API go to the url ~/desktopmodules/<module-name>/API/<controller-name>/<method-name> you will see a string “Test data from API”.

Accessing URL Parameters

To accept URL parameters we can easily pass them as a parameters to the method as shown below –

        [HttpGet]

        public HttpResponseMessage GetData(int Id)

        {

            var data = "You passed: " + Id;

            return Request.CreateResponse(HttpStatusCode.OK, data);

        }

 

Securing the Web API

Security is important consideration when developing an API. An API should implement the best practices for security. Some of the possible threats are 

-   CSRF attack.

-   DOS attack

-   Broken authentication

-   Broken access control

Using built in authentication mechanism

DNN provides built-in authentication mechanism. We can implement authentication to an action using the DNNAuthorize attribute.

        [HttpGet]

        [DNNAuthorize]

        public HttpResponseMessage GetData()

        {

            var dt = "Test data from API";

            return Request.CreateResponse(HttpStatusCode.OK, dt);

     }

The above method is only accessible to the authorized users and prevents anonymous access to the API.

Protecting against CSRF

DNN has built-in functionality to prevent against CSRF (Cross-site request forgery). We can use a ValidateAntiForgeryToken attribute with the method which validates whether the CSRF token is received and valid or not.

        [HttpGet]

        [ValidateAntiForgeryToken]

        public HttpResponseMessage GetData()

        {

            var dt = "Test data from API";

            return Request.CreateResponse(HttpStatusCode.OK, dt);

     }

 

Preventing SQL injection attacks

DNN also allows us to validate the received data since it may contain some malicious content like HTML/scripts. By using ValidateInput attribute, we can prevent submitting harmful content.

Example client-side request

You can do a GET request normally like a ajax request. But to do a POST request or a request with CSRF protection enabled you have tomust pass the CSRF token along with the request headers.  

var sf = $.ServicesFramework(<%= ModuleId%>);

$.ajax({

 url: "<api-url>",

"beforeSend": sf.setModuleHeaders,

       "contentType": 'application/json; charset=UTF-8',

       "accepts": "application/json; charset=utf-8",

       "async": true,

       "success”:function(result){

       console.log(result);

}

});

After running above code, you will see the output something like below in your JavaScript console.

.Net
DotNetNuke
API In DotNetNuke
Dotnetnuke
Web API
Blog Calendar
Blog Calendar List
2024 Apr  18  4
2024 Mar  33  4
2024 Feb  28  3
2024 Jan  8  7
2023 Dec  14  6
2023 Nov  45  5
2023 Oct  118  12
2023 Sep  245  9
2023 Aug  63  7
2023 Jul  31  5
2023 Jun  20  4
2023 May  43  5
2023 Apr  35  5
2023 Mar  98  6
2023 Feb  111  5
2023 Jan  40  4
2022 Dec  94  7
2022 Nov  254  2
2022 Sep  13  1
2022 Aug  28  2
2022 Jun  7  2
2022 May  4  2
2022 Apr  6  2
2022 Mar  2  1
2022 Feb  2  1
2022 Jan  1  1
2021 Dec  4  1
2021 Nov  2  1
2021 Oct  2  1
2021 Sep  12  1
2021 Aug  38  5
2021 Jul  36  4
2021 Jun  1244  5
2021 May  31  3
2021 Apr  2036  3
2021 Mar  189  5
2021 Feb  2142  7
2021 Jan  3106  9
2020 Dec  446  7
2020 Sep  74  3
2020 Aug  685  3
2020 Jul  128  1
2020 Jun  75  3
2020 Apr  69  3
2020 Mar  13  2
2020 Feb  28  5
2020 Jan  34  7
2019 Dec  17  4
2019 Nov  30  1
2019 Jan  23  2
2018 Dec  71  4
2018 Nov  68  3
2018 Oct  18  3
2018 Sep  1152  11
2018 Aug  7  2
2018 Jun  14  1
2018 Jan  68  2
2017 Sep  585  5
2017 Aug  17  1
2017 Jul  17  2
2017 Jun  62  2
2017 May  21  1
2017 Apr  35  2
2017 Mar  135  4
2017 Feb  784  4
2016 Dec  204  3
2016 Nov  833  8
2016 Oct  307  10
2016 Sep  704  6
2016 Aug  39  1
2016 Jun  1876  6
2016 May  110  3
2016 Jan  71  2
2015 Dec  484  6
2015 Nov  4  1
2015 Oct  13  1
2015 Sep  1464  6
2015 Aug  14  1
2015 Jul  128  2
2015 Jun  11  1
2015 May  20  1
2015 Apr  30  3
2015 Mar  80  3
2015 Jan  5335  4
2014 Dec  17  1
2014 Nov  2257  4
2014 Oct  68  1
2014 Sep  107  2
2014 Aug  5280  1
2014 Jul  49  2
2014 Apr  2578  12
2014 Mar  301  17
2014 Feb  220  6
2014 Jan  1510  16
2013 Dec  21  2
2013 Nov  690  2
2013 Oct  256  3
2013 Sep  11  1
2013 Aug  40  3
2013 Jul  214  1
2013 Apr  57  6
2013 Mar  2292  10
2013 Feb  127  3
2013 Jan  343  2
2012 Nov  57  2
2012 Oct  499  10
Tag Cloud
Interested in our services? Still not sure about project details? get a quote