All geek questions in one place

Anti-Forgery Token Web Api 2

I have an AccountController for my Api website that uses the default implementation for login:

// POST: /Account/Login
[HttpPost]
[AllowAnonymous]
[ValidateAntiForgeryToken]
public async Task<ActionResult> Login(LoginViewModel model, string returnUrl)
{
    if (!ModelState.IsValid)
    {
        return View(model);
    }

    // This doesn't count login failures towards account lockout
    // To enable password failures to trigger account lockout, change to shouldLockout: true
    var result = await SignInManager.PasswordSignInAsync(model.Email, model.Password, model.RememberMe, shouldLockout: false);
    switch (result)
    {
        case SignInStatus.Success:
            return RedirectToLocal(returnUrl);
        case SignInStatus.LockedOut:
            return View("Lockout");
        case SignInStatus.RequiresVerification:
            return RedirectToAction("SendCode", new { ReturnUrl = returnUrl, RememberMe = model.RememberMe });
        case SignInStatus.Failure:
        default:
            ModelState.AddModelError("", "Invalid login attempt.");
            return View(model);
    }
}

This works well for the Internet, but if I use a client application, for example, UWPor Xamarin, it will become a problem if I want to log in without using WebView, because it looks like it Web Apiis connected to the network, because it relies on a token anti-forgerythat is generated in the view and sent back to submit. Let's say I want this client application to just use text fields and a submit button to log in, like most mobile applications that I see. They usually do not go WebView.

, -? DRY , .

+6
1

, -, POST /Token ApplicationOAuthProvider, . . packexchange:

WebAPI [],

+1

Source: https://habr.com/ru/post/1016259/

More articles:


All Articles