How to Structure REST API Service for POST Parameters

angularjsArchitecturecrest

Everything I've read says to pass parameters to a REST service in the URI, whether by template, or query string:

https://www.myapp/my/login/api/authenticate/ganders/mypassword

or

https://www.myapp/my/login/api/authenticate?user=ganders&password=mypassword

But obviously those are exposing my username and password in clear view.

Our security guy is saying that we need to pass the parameters in the body of the request. How do I do that? Examples, or just a link to an example is sufficient because apparently my googling skills are not very high.

One thing that I've found so far is that if you decorate your service methods with the attribute [FromBody], like this:

public AuthenticationResult Authenticate(**[FromBody]**LoginData loginData)
{
    return AuthenticationResult.Authenticated;
}

that will grab them from the body. My other task is trying to test this? Is this a task for Fiddler? Or Chrome Dev tools?

Another thing I've found so far is that you can only have 1 parameter in the post, is that accurate?

Sorry, lot's of questions here. Spent all day yesterday trying to research this and obviously didn't get very far…

Edit:

So here's what I have so far, this is the "GET" version that we need to convert to a POST (this is Angular calling C# REST API)

$http.defaults.headers.common.Authorization = 'Basic ' + encoded;

var url = $rootScope.serviceBaseUrl + "login/get" + "?username=" + user + "&password=" + password + "&accesstoken=";

$http({method: 'Get', url: url}).success(.....).error(......);

And the REST service:

[HttpGet]
    public AuthenticationResult Get([FromUri]LoginModel login)
    {
        try
        {
            AuthenticationService authService = new AuthenticationService();
            AuthenticationResult result = authService.IsAuthenticated(login);

            if (result.IsAuthenticated)
                return result;
            else
            {
                return new AuthenticationResult()
                {
                    IsAuthenticated = false,
                    User = new User()
                    {
                        UserId = login.Username
                    }
                };
            }
        }
        catch(Exception ex)
        {
            return new AuthenticationResult()
            {
                IsAuthenticated = false,
                User = new User()
                {
                    UserId = login.Username,
                    Token = ex.Message
                }
            };
        }
    }

Edit2: I'm getting closer. I've got the response to go through (via Fiddler), but my json array of data that I'm passing is not getting mapped to my complex type. Here's what I've got:
In Fiddler:

User-Agent: Fiddler
Host: localhost:42761
Content-Length: 73
Content-Type: application/json
Accept: application/json

"Request Body":

{
"Username": "ganders",
"Password": "hashedPassword"
}

My "LoginData" object is instantiated on the service-side, but my two properties are null…

Best Answer

I'd structure it by moving it inside the json fields if HTTP basic auth isn't an option.

For example:

POST https://my.server/login
{ "username": "user",
  "secret": "someSecureHashAndNotThePlaintextPasswordSeriouslyDontDoThat" }
Related Topic