welcome to XRM blog

Keep in touch with latest CRM/ERP articles

To remain competitive your organisation must be efficient across the business process spectrum. To do so you need to take sound decisions based on a balance between the cost and risk. To do so you will be heavily dependent on your content management in itself needs...

image
Blog

Web API how to use web API and how to secure them in DNN

By Ishaan Sheikh on 8/9/2020

Why APIs?

In today’s world if we are using any service on the internet, we are consuming some sort of APIs in many ways. Even the article you are reading is coming as a response to an API request to our servers. 

Have you ever thought how you are able to see Google Maps on websites other than Google? That is where the APIs comes into picture.

When you see Google ads on different websites, Login with X on Y website, travel ticket booking applications which shows flights from multiple sources, all of these are also the response of an API request.

What is an API?

API stands for Application Programming Interface. It is an essential part of Software development. You can think of an API as a method which when called do some processing and returns a value.

APIs are the way of accessing information for different components of an application.

The APIs defines rules that must be followed in order to communicate effectively with system and get the required information.

What is a Web API?

An API that we can access over the internet using HTTP protocols is called a web API. A web API can be called using following methods – 

1. GET – Used when requesting data from server.
2. POST – Used when creating a new record on the server.
3. PUT – Used to update an item on the server.
4. DELETE – Used to delete an item from the server.

Benefits of using an API

There are a lot of benefits of using an API some of them are –

Code Sharing: We can share code between multiple websites or devices. For example, we can use the same Google map API in all our websites. And, we can consume same API for CRUD operation on website as well as on mobile app.

Flexibility: We can also make our API public so that other developers can use our API to build their custom applications. Best example of this is Google Map and Google auth API.

Easy Debugging: It is also easier to debug application since all the functionality are separated from each other in a modular fashion.

Integration: We can integrate an API to multiple platforms for example we can integrate CRM APIs to our own customized mobile app which can help us in data-sharing within both the applications.

Customizable: APIs are also customizable i.e. one can only get the data he wants by specifying parameters in the request object.

CORS: It also helps in sharing cross-origin data, i.e. data between multiple domains.

Best Practices for Web API development

There are some best practices that should be followed to make an easy to use web API. These are:

-  Endpoints should be descriptive like an endpoint to update a user should be something look like /users/:id , where :id should be replaced with appropriate user id.

-   Errors should be handled gracefully and should return proper standard status codes like 404, 500, etc.

-   A Web API should also allow filtering and pagination for a collection of objects like users, articles, products, etc.

-   Should be secure using any method like API tokens, JWT, etc.

-   Proper documentation is also an important part of API development, it should contain the endpoints description such as what type of data it accepts and sends back, what security parameters are required, etc.

-   Performance is also an important aspect of API development. Developer should also implement caching wherever required.

Web APIs in DNN

To make web API we use Services Framework in DNN. To enable web API in DNN we need to reference the following dlls –

-  DotNetNuke.dll

-  DotNetNuke.Web.dll

-  System.Net.Http.dll

-  System.Net.Http.Formatting.dll

-  System.Web.Http.dll

 

Now we need to access it via URL, so we need to register the controller class. To do so add the following code to the Components/RouteMapper.cs class.

 

using System;

using System.Collections.Generic;

using System.Linq;

using System.Web;

using DotNetNuke.Web.Api;

 

namespace Xrmlabs.Modules.ApiTest.Components

{

    public class RouteMapper : IServiceRouteMapper

    {

        public void RegisterRoutes(IMapRoute mapRouteManager)

        {

            mapRouteManager.MapHttpRoute("ApiTest", "default", "{controller}/{action}", new string[] { "Xrmlabs.Modules.ApiTest.Components" });

        }

    }

}

The RouteMapper class extends the IServiceRouteMapper class which helps in defining routes by which we can access the web API from the frontend.

Now we can start creating web APIs. Add the following code to the Components/FeatureController.cs class.

using System;

using System.Net;

using System.Net.Http;

using System.Web.Http;

using DotNetNuke.Web.Api; 

public class FeatureController : DnnApiController

{

        [HttpGet]

        public HttpResponseMessage GetData()

        {

            var data = "Test data from API";

            return Request.CreateResponse(HttpStatusCode.OK, data);

        }

}

Here the controller name is Feature which extends DnnApiController class. The HttpGet attribute defines that this method only accepts the GET requests, to make a method which accepts POST request we can replace this with [HttpPost].

To access the API go to the url ~/desktopmodules/<module-name>/API/<controller-name>/<method-name> you will see a string “Test data from API”.

Accessing URL Parameters

To accept URL parameters we can easily pass them as a parameters to the method as shown below –

        [HttpGet]

        public HttpResponseMessage GetData(int Id)

        {

            var data = "You passed: " + Id;

            return Request.CreateResponse(HttpStatusCode.OK, data);

        }

 

Securing the Web API

Security is important consideration when developing an API. An API should implement the best practices for security. Some of the possible threats are 

-   CSRF attack.

-   DOS attack

-   Broken authentication

-   Broken access control

Using built in authentication mechanism

DNN provides built-in authentication mechanism. We can implement authentication to an action using the DNNAuthorize attribute.

        [HttpGet]

        [DNNAuthorize]

        public HttpResponseMessage GetData()

        {

            var dt = "Test data from API";

            return Request.CreateResponse(HttpStatusCode.OK, dt);

     }

The above method is only accessible to the authorized users and prevents anonymous access to the API.

 

Protecting against CSRF

DNN has built-in functionality to prevent against CSRF (Cross-site request forgery). We can use a ValidateAntiForgeryToken attribute with the method which validates whether the CSRF token is received and valid or not.

        [HttpGet]

        [ValidateAntiForgeryToken]

        public HttpResponseMessage GetData()

        {

            var dt = "Test data from API";

            return Request.CreateResponse(HttpStatusCode.OK, dt);

     }

 

Preventing SQL injection attacks

DNN also allows us to validate the received data since it may contain some malicious content like HTML/scripts. By using ValidateInput attribute, we can prevent submitting harmful content.

 

Example client-side request

You can do a GET request normally like a ajax request. But to do a POST request or a request with CSRF protection enabled you have tomust pass the CSRF token along with the request headers.  

 

var sf = $.ServicesFramework(<%= ModuleId%>);

$.ajax({

 url: "<api-url>",

"beforeSend": sf.setModuleHeaders,

       "contentType": 'application/json; charset=UTF-8',

       "accepts": "application/json; charset=utf-8",

       "async": true,

       "success”:function(result){

       console.log(result);

}

});

After running above code, you will see the output something like below in your JavaScript console.

.Net
DotNetNuke
API In DotNetNuke
ContentManagement
DNNPlatform
Dotnetnuke
Web API
WebDevelopment
Blog Calendar
Blog Calendar List
2024 Nov  4  1
2024 Aug  4  1
2024 Apr  45  4
2024 Mar  129  4
2024 Feb  224  3
2024 Jan  29  7
2023 Dec  24  6
2023 Nov  351  5
2023 Oct  474  12
2023 Sep  1202  9
2023 Aug  313  6
2023 Jul  46  6
2023 Jun  26  4
2023 May  44  5
2023 Apr  66  5
2023 Mar  182  6
2023 Feb  158  5
2023 Jan  65  4
2022 Dec  95  7
2022 Nov  282  2
2022 Sep  13  1
2022 Aug  32  2
2022 Jun  11  2
2022 May  6  2
2022 Apr  12  2
2022 Mar  2  1
2022 Feb  2  1
2022 Jan  1  1
2021 Dec  4  1
2021 Nov  2  1
2021 Oct  2  1
2021 Sep  14  1
2021 Aug  49  5
2021 Jul  50  4
2021 Jun  1657  5
2021 May  40  3
2021 Apr  2202  3
2021 Mar  208  5
2021 Feb  2553  7
2021 Jan  3769  9
2020 Dec  520  7
2020 Sep  80  3
2020 Aug  767  3
2020 Jul  134  1
2020 Jun  93  3
2020 Apr  89  3
2020 Mar  19  2
2020 Feb  34  5
2020 Jan  47  7
2019 Dec  17  4
2019 Nov  38  1
2019 Jan  23  2
2018 Dec  110  4
2018 Nov  68  3
2018 Oct  18  3
2018 Sep  1221  11
2018 Aug  7  2
2018 Jun  18  1
2018 Jan  70  2
2017 Sep  588  5
2017 Aug  17  1
2017 Jul  17  2
2017 Jun  64  2
2017 May  21  1
2017 Apr  38  2
2017 Mar  138  4
2017 Feb  830  4
2016 Dec  207  3
2016 Nov  917  8
2016 Oct  317  10
2016 Sep  772  6
2016 Aug  39  1
2016 Jun  1883  6
2016 May  112  3
2016 Jan  72  2
2015 Dec  640  6
2015 Nov  4  1
2015 Oct  13  1
2015 Sep  1471  6
2015 Aug  14  1
2015 Jul  129  2
2015 Jun  11  1
2015 May  20  1
2015 Apr  30  3
2015 Mar  80  3
2015 Jan  5343  4
2014 Dec  17  1
2014 Nov  2260  4
2014 Oct  69  1
2014 Sep  107  2
2014 Aug  5319  1
2014 Jul  49  2
2014 Apr  2592  12
2014 Mar  303  17
2014 Feb  222  6
2014 Jan  1510  16
2013 Dec  21  2
2013 Nov  693  2
2013 Oct  256  3
2013 Sep  11  1
2013 Aug  40  3
2013 Jul  214  1
2013 Apr  61  6
2013 Mar  2357  10
2013 Feb  131  3
2013 Jan  350  2
2012 Nov  61  2
2012 Oct  518  10
Tag Cloud
Interested in our services? Still not sure about project details? get a quote