I'm a little out of my area here. I created my first WebAPI and have just a few questions that I haven't been able to find out via searching. I have a working WebAPI (locally and in production). It cuts the image size client side before uploading and I used
this "how to":
https://onezeroeight.co/code/web/compress-image-before-after-upload/#WebAPICode
1) It's all at the same domain, so I did not enable CORS as the author of the above link did. The page sending the data will have security on it and requires a login. Without CORS enabled, how secure is this WebAPI?
2) I need to make a new, unrelated WebAPI that will be accessed from a Windows .exe program. Since the program isn't at the same domain, do I have to enable CORS for this WebAPI to work?
3) The first two questions are the most important to me, but if anyone can throw their two cents in here, it would be most appreciated. The image is being transferred using Ajax and a dataURL (ajax call below). I would really like to catch the uploaded file
name and send it with the dataURL, possibly another variable, as well. Can anyone suggest the best way to go about doing this? If I just get the right terminology going, sometimes it helps me search for solutions better. I got nothing on this one.
4) Again, not as important a question, but the upload page usually gets images, but sometimes a PDF. Obviously, not going to process that client side and compress it. Anyone care to suggest how they would separate out the PDF. I'm not sure it even needs
to go to the WebAPI, as the current upload page handles it just fine at point. However, it might be cleaner to send it all to the WebAPI, so all the code is in the same place.
Again, someone's input would be much appreciated. Thanks,
1) It's all at the same domain, so I did not enable CORS as the author of the above link did. The page sending the data will have security on it and requires a login. Without CORS enabled, how secure is this WebAPI?
There are many ways to secure Web API. Probably the easiest is basic authentication of only the web app accesses the Web API. Another common method is using JWT tokens. The framework comes with libraries to handle JWT if you go that direction.
jay8anks
2) I need to make a new, unrelated WebAPI that will be accessed from a Windows .exe program. Since the program isn't at the same domain, do I have to enable CORS for this WebAPI to work?
3) The first two questions are the most important to me, but if anyone can throw their two cents in here, it would be most appreciated. The image is being transferred using Ajax and a dataURL (ajax call below). I would really like to catch the uploaded file
name and send it with the dataURL, possibly another variable, as well. Can anyone suggest the best way to go about doing this? If I just get the right terminology going, sometimes it helps me search for solutions better. I got nothing on this one.
You did not provide the actual code. Usually the file name is part of the HTTP request and uploaded along with the file. Any beginning level tutorial on file upload covers this.
4) Again, not as important a question, but the upload page usually gets images, but sometimes a PDF. Obviously, not going to process that client side and compress it. Anyone care to suggest how they would separate out the PDF. I'm not sure it even needs to
go to the WebAPI, as the current upload page handles it just fine at point. However, it might be cleaner to send it all to the WebAPI, so all the code is in the same place.
I got it to pass the file name to the WebAPI. I had a couple of issues, but the main one was I had a few test scripts on the same page and was actually working on the wrong script (D'oh). Basically, just added it to the string with a character to use to
split the string and get my file name out. Then passed the rest of the dataURL on to get the image out.
Other thing was, I had another working ajax script that did it by passing an object. I never could get this way to work and pass the dataURL at the same time. Just wasn't happening.
I actually looked at a few of those links before posting here. My line of thinking is that since nobody could get to the upload page without logging in -- plus access to the page is controlled by role -- that it should be fairly secure...plus without CORS
on, any call made would have to come from within my own domain.
To be clear: if someone knew to send a dataURL of an image to
http://mydomain/api/image then it would actually work and anyone on the Internet could possibly upload an image this way?
To be clear: if someone knew to send a dataURL of an image to
http://mydomain/api/image then it would actually work and anyone on the Internet could possibly upload an image this way?
Yes.
jay8anks
Am I misunderstanding what CORS actually does?
CORS only work in a browser with AJAX. Any code based client, like .exe apps, can still access Web APi.
I actually read the link you suggested before posting here. I missed the [Authorize] attribute somehow. That was super easy and does exactly what I want. For the .exe file I'm stuck working on, I came up with passing an encrypted, expiring token. Should
work fine for my purposes.
Member
13 Points
55 Posts
Few questions on WebAPI
Nov 23, 2020 07:58 PM|jay8anks|LINK
I'm a little out of my area here. I created my first WebAPI and have just a few questions that I haven't been able to find out via searching. I have a working WebAPI (locally and in production). It cuts the image size client side before uploading and I used this "how to": https://onezeroeight.co/code/web/compress-image-before-after-upload/#WebAPICode
1) It's all at the same domain, so I did not enable CORS as the author of the above link did. The page sending the data will have security on it and requires a login. Without CORS enabled, how secure is this WebAPI?
2) I need to make a new, unrelated WebAPI that will be accessed from a Windows .exe program. Since the program isn't at the same domain, do I have to enable CORS for this WebAPI to work?
3) The first two questions are the most important to me, but if anyone can throw their two cents in here, it would be most appreciated. The image is being transferred using Ajax and a dataURL (ajax call below). I would really like to catch the uploaded file name and send it with the dataURL, possibly another variable, as well. Can anyone suggest the best way to go about doing this? If I just get the right terminology going, sometimes it helps me search for solutions better. I got nothing on this one.
4) Again, not as important a question, but the upload page usually gets images, but sometimes a PDF. Obviously, not going to process that client side and compress it. Anyone care to suggest how they would separate out the PDF. I'm not sure it even needs to go to the WebAPI, as the current upload page handles it just fine at point. However, it might be cleaner to send it all to the WebAPI, so all the code is in the same place.
Again, someone's input would be much appreciated. Thanks,
All-Star
52201 Points
23274 Posts
Re: Few questions on WebAPI
Nov 23, 2020 09:11 PM|mgebhard|LINK
Securing Web API is covered in the official docs.
https://docs.microsoft.com/en-us/aspnet/core/security/authentication/?view=aspnetcore-5.0
https://docs.microsoft.com/en-us/aspnet/core/security/authorization/introduction?view=aspnetcore-5.0
There are many ways to secure Web API. Probably the easiest is basic authentication of only the web app accesses the Web API. Another common method is using JWT tokens. The framework comes with libraries to handle JWT if you go that direction.
CORS only affects browsers.
https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS
You did not provide the actual code. Usually the file name is part of the HTTP request and uploaded along with the file. Any beginning level tutorial on file upload covers this.
https://docs.microsoft.com/en-us/aspnet/core/mvc/models/file-uploads?view=aspnetcore-5.0
The file extension identifies the file type.
All-Star
57864 Points
15500 Posts
Re: Few questions on WebAPI
Nov 23, 2020 10:37 PM|bruce (sqlwork.com)|LINK
as you are doing a form post, to pass more data just use query's standard data format:
Member
13 Points
55 Posts
Re: Few questions on WebAPI
Nov 24, 2020 11:56 PM|jay8anks|LINK
I got it to pass the file name to the WebAPI. I had a couple of issues, but the main one was I had a few test scripts on the same page and was actually working on the wrong script (D'oh). Basically, just added it to the string with a character to use to split the string and get my file name out. Then passed the rest of the dataURL on to get the image out.
Other thing was, I had another working ajax script that did it by passing an object. I never could get this way to work and pass the dataURL at the same time. Just wasn't happening.
Thanks,
Member
13 Points
55 Posts
Re: Few questions on WebAPI
Nov 25, 2020 12:10 AM|jay8anks|LINK
I actually looked at a few of those links before posting here. My line of thinking is that since nobody could get to the upload page without logging in -- plus access to the page is controlled by role -- that it should be fairly secure...plus without CORS on, any call made would have to come from within my own domain.
To be clear: if someone knew to send a dataURL of an image to http://mydomain/api/image then it would actually work and anyone on the Internet could possibly upload an image this way?
Am I misunderstanding what CORS actually does?
Thanks,
All-Star
52201 Points
23274 Posts
Re: Few questions on WebAPI
Nov 25, 2020 12:31 AM|mgebhard|LINK
Yes.
CORS only work in a browser with AJAX. Any code based client, like .exe apps, can still access Web APi.
Member
13 Points
55 Posts
Re: Few questions on WebAPI
Nov 29, 2020 07:16 PM|jay8anks|LINK
I actually read the link you suggested before posting here. I missed the [Authorize] attribute somehow. That was super easy and does exactly what I want. For the .exe file I'm stuck working on, I came up with passing an encrypted, expiring token. Should work fine for my purposes.
Thanks,
Member
13 Points
55 Posts
Re: Few questions on WebAPI
Nov 29, 2020 07:22 PM|jay8anks|LINK
If anyone is interested, I uploaded a working demo here: https://github.com/jay8anks/ImgResizeAndUpload
It resizes an image client side before uploading it. If the file is a pdf, it just uploads it.
In addition to OneZeroEight's code, it adds:
(It does not make thumbnails of PDFs. That's a pain). :)