How to design a ๐ฌ๐๐๐ฎ๐ซ๐ web API access for your website?
When we open web API access to users, we need to make sure each API call is authenticated. This means the user must be whom they claim to be.
In this post, we explore two common ways:
1. Token based authentication
2. HMAC (Hash-based Message Authentication Code) authentication
The diagram below illustrates how they work.
๐๐จ๐ค๐๐ง ๐๐๐ฌ๐๐
Step 1 - the user enters their password into the client, and the client sends the password to the Authentication Server.
Step 2 - the Authentication Server authenticates the credentials and generates a token with an expiry time.
Steps 3 and 4 - now the client can send requests to access server resources with the token in the HTTP header. This access is valid until the token expires.
๐๐๐๐ ๐๐๐ฌ๐๐
This mechanism generates a Message Authentication Code (signature) by using a hash function (SHA256 or MD5).
Steps 1 and 2 - the server generates two keys, one is Public APP ID (public key) and the other one is API Key (private key).
Step 3 - we now generate a HMAC signature on the client side (hmac A). This signature is generated with a set of attributes listed in the diagram.
Step 4 - the client sends requests to access server resources with hmac A in the HTTP header.
Step 5 - the server receives the request which contains the request data and the authentication header. It extracts the necessary attributes from the request and uses the API key thatโs stored on the server side to generate a signature (hmac B.)
Steps 6 and 7 - the server compares hmac A (generated on the client side) and hmac B (generated on the server side). If they are matched, the requested resource will be returned to the client.
Question - How does HMAC authentication ensure data integrity? Why do we include โrequest timestampโ in HMAC signature generation?
--
Subscribe to our weekly newsletter to get a Free System Design PDF (158 pages): https://t.co/eVEdOFSYPY
Have you ever faced issues because "Path.GetExtension" doesnโt return the actual extension that Windows APIs deal with due to path normalization differences?
#dotnet#csharp
Entity Framework SQL Query Plan Visualizer ๐๐ป
The EFCore.Visualizer Visual Studio extension looks like it could be a game changer.
It allows us to view the query plan of our SQL queries directly inside VS.
Will you try it?
#dotnet
C# Access Modifiers summary table
I got this summary table from MS learn.
It's definitely worth a bookmark.
Note the file access modifier is new from C# 11.
#dotnet
How to implement jobs in .NET?
Did you hear about Hangfire?
Let's learn something ๐
Hangfire is an open-source library for .NET that provides a simple way to perform background processing in your application.
It allows you to run jobs (methods or functions) asynchronously and schedule them to run at a specific time or regularly.
Background job types:
โข ๐๐ถ๐ฟ๐ฒ-๐ฎ๐ป๐ฑ-๐ณ๐ผ๐ฟ๐ด๐ฒ๐
These are jobs that are executed once and then forgotten. They are used for tasks that need to be performed in the background, but the result doesn't need to be returned to the application immediately.
โข ๐๐ฒ๐น๐ฎ๐๐ฒ๐ฑ ๐ท๐ผ๏ฟฝ๏ฟฝ๏ฟฝ๏ฟฝ๐
These are jobs that are scheduled to run at a specific time in the future. You can use them to schedule tasks that need to be performed at a specific time, such as sending a reminder email to a user.
โข ๐ฅ๐ฒ๐ฐ๐๐ฟ๐ฟ๐ถ๐ป๐ด ๐ท๐ผ๐ฏ๐
These are jobs that are scheduled to run repeatedly at a specified interval. You can use them to automate tasks that need to be performed regularly, such as generating reports or performing database cleanup.
โข ๐๐ผ๐ป๐๐ถ๐ป๐๐ฎ๐๐ถ๐ผ๐ป๐
These are jobs that are executed after a previous job has been completed. You can use them to create a sequence of jobs that need to be performed in a specific order.
๐ช๐ต๐ ๐'๐บ ๐๐๐ถ๐ป๐ด ๐๐ฎ๐ป๐ด๐ณ๐ถ๐ฟ๐ฒ?
Simplicity - With just a few lines of code, you can configure it to run background jobs, schedule tasks to run at a specific time or repeatedly, and monitor the progress of those tasks.
Read more here: https://t.co/7Xk1zo1uMO
Did you use it already? ๐
____
Transform your API development process with Postman Flows! Experience a new way to visually create, debug, and automate complex API workflows with ease. Dive into the future of API management and enhance your productivity https://t.co/eqQDSsM5Gl.
#Dotnet
There's a small new little feature in C# 12 that I think most didn't notice. You can now declare empty class, record and interface types without specifying a body at all, just with a semicolon token. It's not even called out in the docs, I should go update them ๐
#csharp#dotnet
Entity Framework AsSplitQuery benchmark
If you are doing a lot of Includes() with your LINQ queries consider benchmarking AsSplitQuery to force EF to send separate queries and then join the data back together on the client side.
#dotnet
Built-in OpenAPI doc generation in .NET 9 โค
ASP .NET Preview 4 will have OpenAPI doc generation capabilities. Swashbuckle is awesome but it's nice to have this built in now.
What do you think?
#dotnet