App structure
Do modern web apps run on top of an API is this to make native versions of the same app easier as we just make some kind of frontend? If so do we just access the API the same way, via GET, POST etc requests?
6 Replies
Some web apps run against APIs, but by no means all of them. Many are "full stack", which means the data access, security, logging, and generation of HTML for the front end.
Where a web app does run against an API, it would normally, but not always, use REST principles and fetch pages with GET and submit forms via POST or PUT.
Sounds like the existing apps I maintain. Work wants to replace one with a web app and mobile version should they be separated in such a way that access to all data and processing is via a common API. The main thing I'm now sure about is security for the api
so you don't know how to secure an api?
Not yet, have never made an API.
The apps I maintain are in house and are rather old.
I have worked out how to use identity and get a jwt token, but I don't know how to use it for anything
Don't know how to use roles and claims either
There would be a lot of things I know how to do manually that have been simplified or automated that I know nothing about
Important advice on API security: Don't do it yourself! There are all sorts of ways of securing APIs built into ASP.NET. One of the most common schemes for securing an API that developers come up with themselves, or read about in the wrong places, is the API Key scheme, where the caller sends the API a secret key by whatever means, usually a header or query parameter, and the API checks if the key is correct, and if so, allows the API call.
Makes sense right? At a high, abstract level it does, but at a practical level, it is a terrible, insecure way of securing an API. Have a look at this MS resource for an overview of all the ways of securing a web API that are supported by ASP.NET and are one hell of a lot more secure than doing things yourself.
https://learn.microsoft.com/en-us/aspnet/web-api/overview/security/
Security, Authentication, and Authorization in ASP.NET Web API
Security issues for Web API.
Ok will look into that
Is there a good resource or tutorial for adding identity to an existing blazor server app without using scaffolding and with identity working on the API using entity.
I can't seem to get the actual sign in bit working, the rest works such as registering users and adding roles, but getting the authorization working in razor pages doesn't