We Keep Coding

RESTful API Design - same path diffrent roles

I´m currently working on a RESTful API, which has to give access to two diffrent Roles: Admin and User. (I'm wokring with Azure AD App Roles)
My Problem is that I don't understand how I can design the controller logic.
For example I want both (admin and user) to access the endpoint /books, but the admin is allowed to see all books and the user is only allowed to see his books.
What is the best practice to give both the allowed access? I thought of splitting it into two enpoints like this:
/books -> with annotation [Authorize(Roles="Admin")]
/user/{id}/books -> with annotation [Authorize(Roles="User")]
Thanks for helping!
Best regards

I think this sample may be of some help. And if you need sample written by other languages, you can refer to this document to find a suitable one.
And on your case, I think the most important thing is to find out the way to execute the right query and make the query result return to correct user.
So if you set a specific url for each user(I don't think this a good idea to expose user id in the request link), or you hide the user role/id into the token which contained in request header, you all need to write logic code to check which query method need to run. For example, hit domain:port/books with an access token, then your filter catch this request and decode the token to know the user id and user role, and maybe can save them in the session, then your controller may check the value stored in session and choose a right query to get the books information.

Session - Login to view user data

Before I start I would like to state that I am very VERY new to ASP.NET and C#, and programming in general really. I have created a web application with a login page looking to a custom database containing the user's data as well as their login details. I did this rather than using the ASP.NET Membership as there are complications using this over my college's network.
As the table contains many records of user data, what I would like to do is have a user log into the app and (based on their login details) allow them to view JUST their details from the table I have created as their are many records of user data.
Am I correct that I should create a session based on their username and password and with this, somehow match it to their record in the table using SQL which will display ONLY their data rather than the whole table be displayed?
If this is the case, I really don't have a clue how to implement this.
I am aware that this will be very insecure but the users are all fictional and this app will not be published to the web. I just want it to work in the simplest form for my assignment and I'll cover the security aspects in my report and state how it could be improved.
Any advice would be greatly appreciated, Cheers.

Whenever you find a user's credentials valid enough for login, add some/all of his credentials to the current session like,
Session.Add("sessionvariablename",textBoxLogin.Text);
On the other page, that comes after logging in, check the following,
if(Session["sessionvariablename"].ToString()=="xyz")
{
Do whatever you want
}
You may not want to add sensitive information to the session for security concerns. Use
Guid.NewGuid() to create a unique 32 character hexadecimal code for each user and store it in session.

You should have row in your table with with a unique identifier. Like ID or userNr or something similar, make it an integer and set to primary key and then set its identity specification (is identity) to yes by double clicking on it (I am presuming that you are using visual studio).
When the user has submitted there login info and they checked out, you save there unique identifier in a session.
when you need to pull out information specific to the user in question, you use sql WHERE ID (or userNr) is equal to the session id.
hope this is what you needed, its my first answer in here so I would like to be helpful.

If I'm getting it right, using username and password as session parameters will work but it's not the best idea. Normally you table with users contains a kind of unique identifier for each record (guid or autoincrement id). You may use this identifier as a session parameter.

how to use a GUID to verify user email in ASP.NET C#

I'm currently working on a project where people can register and login to their own content page.
I have used a custom registration method (Not the Default Create User Wizard). I am capable of sending an email off to the registering persons email. However I now want to add a link to that email where people have to click on it in order to get their profile verified.
I have heard that you can use a GUID along with a Token to do this but I don't know how to go on implementing this there fore i need help.
I have my users details stored in the
> tblUsers with fields ID, Name, Password, Details, Photo as well as a **Verify** field which i believe could be used as a verification? for now its empty and is not being used.
I have created my login control using the default Login control provided by the Microsoft Visual Studio environment.
Would really be grateful if someone can help me and guide me through this, after 2 days of constant research and trying I'm stuck on this part without being able to progress further

Well a better option would be encryption of UserID. as this will not only save addition of extra column in database but provide easy handling. Now the question is how will you do that.
Try this.. Make a simple encryption Logic (you can google this and just a few lines of code)
when creating that hyperlink, append that encrypted UserId . When user clicks , send that to server , decrypt and validate with the user id. this will help you to mange user on base of User Id which i hope is unique in you case.
Guid is just another option, why not using your UserID which is alreday unique :)

I think you could generate the guid upon the user registration and store on the user's table. You can also send it in the query of the link that you want to add to the e-mail.
After the user clicks the link you could require the user to login and you would verify if the guid on the query is the same that you have stored on your user's table. If you have you could alter the state of the user to "verified".

Your question requires quite a few steps, but to at least start you off.
User would Register
You'll need to query the email address does not exists.
If it doesn't exists, you'll want to store that information into your database.
With the logic you have to store the information, you'll want to do something like this:
Guid userGuid = Guid.NewGuid();
string body = "To confirm 'http://www.somesite.com/verify/aspx?userGuid=" +
userGuid + "Verify your account";
string GuidToTest = Request["userGuid"];
Something like that should accommodate, you'll have to create a structure and path to handle all of that with your Domain Logic and Data Access.
Hopefully that helps.

How to get user details from OpenID server?

I'm wanting to save some OpenId fields to a localdatabase table, such as
•Full Name
•openid url
•passworg
how to get those attributes from openid server?
please send me some example code in asp.net, c#...

Assuming you'll be using DotNetOpenAuth, see these pages:
Simple Registration
AXFetchAsSregTransform
And know that for some providers like Google, the only way to get email address is to mark it as Required when you formulate the request.

Asp.net Login - Working with user data

I'm making a simple page and i need a login interface for users.
I want users to login to the page and when he is logged in he gets alot of data from the database that is signed to him alone. I did this before using very simple datatable holding the username, crypted password and the uid. When the user logged in the site i set the uid into a session so i could use it when i was selecting from the database..
This is probably not a safe way....easy to crack ?
Better way would be using the asp.net login id...?
What is the best way to do this, should i have all the user info in the ASPNETDB.MDF, and does that database work when i deploy the site on a server ?
Can i use ASP.NET Configuration when i have deployed ?
[Edit]
How can i use the asp.net login to get the userid of the current logged user so i can do sql querys for him ?

I think you should read more on "ASP.NET authentication" - regarding how to implement user login/logout/get userid etc. And on "ASP.NET authorization" - regarding security and access and come back with certain questions. There's standard mechanism for this.
Start with MSDN:
http://msdn.microsoft.com/en-us/library/eeyk640h.aspx
http://msdn.microsoft.com/en-us/library/wce3kxhd.aspx

The ASP.NET membership provider will likely be your best approach as it handles all of the basic plumbing which you need. The tables are quick to setup with the ASP.NET SQL Server Setup Wizard (C:\Windows\Microsoft.NET\Framework\v2.0.50727\Aspnet_regsql.exe) and the combination of the Configuration pages and out of the box login controls will get you up and running quickly. I would recommend going down this path.
Regarding one of your specific questions, the logged in user's Id is stored in the ProviderUserKey. This is the value which maps to the UserId in the membership tables like aspnet_Users and others. Here's how you get the value:
using System.Web.Security;
//ProviderUserKey is an object.
//You will likely want to convert to string or Guid
MembershipUser user = Membership.GetUser();
Object userId = user.ProviderUserKey;

There really is nothing wrong with the way you are doing it, although there are easier methods to do it.
If you are creating a login hash, and storing it in session, the users have no access to that data.
When you create a session state, all that gets sent down in a cookie is a GUID that refers to their own session, and not any of the actual data. Because of this, you can generally assume the data is protected and users can't get access to anyone else's data.