Is there a way to create pre authenticated url's

maggarwal · April 1, 2017, 2:01am

Hi,

Is there a way to create pre authenticated url’s in servicestack? If possible then how? Also is there a way to set the expiration on them?

Thanks

mythz · April 1, 2017, 2:21am

Probably not in the way you’re thinking.

But if you specify Config.AllowSessionIdsInHttpParams=true then you can add the ss-id Session Cookies on the url, e.g ?ss-id=xxx to make authenticated requests which last as long as the user session is valid for which you can set yourself when you save the Users Session, e.g:

var session = base.Request.SessionAs<AuthUserSession>();
base.Request.SaveSession(session, TimeSpan.FromDays(expireInDays));

We also have an API Key Auth Provider which lets you generate API Keys for each User which can create individually for each user and specify when they Expire or Cancel them by storing ApiKey in the IManageApiKeys data provider API but API Keys are intentionally only configurable in the HTTP Bearer Token or Basic Auth Header so they’re not visible in the URL.

Also related but not intended for Production Use is that you configure ServiceStack with an AuthSecret which will allow you to access Services in a “super user” Admin role using the ?authsecret=secretz query string param.

maggarwal · April 1, 2017, 2:48am

Problem with session id is that it’s generated on login. Also I want to be able to differentiate between regular session id’s and one’s for pre auth url’s. Is there any other way it can be made possible?

mythz · April 1, 2017, 3:25am

The closest thing is the API Key AuthProvider which I’ve added support to Allow specifying in Query Strings and FormData in this commit which you can enable with:

new ApiKeyAuthProvider {
    AllowInHttpParams = true
}

And will let you specify the Api Key in on the QueryString like ?apikey=xxx.

It would be ideal if you can make use of the existing API Key Auth Provider as it includes built-in support for the most popular User Auth Repositories. The code sample for Generating API Keys for Existing Users shows an example of how you can use the IManageApiKeys API on existing User Auth Repositories to generate new API Keys.

Otherwise if the API Key Auth Provider isn’t suitable you’ll need to make your own Custom Auth Provider that inspects your own custom table, you can use the source code for ApiKeyAuthProvider.cs as a reference.

This change is available from v4.5.9 that’s now available on MyGet.

maggarwal · April 1, 2017, 3:35am

Is it possible to generate anonymous ApiKeys? Use case is that a user can share a document link as pre authenticated url to a user who’s not part of the system (doesn’t have any account) so that user can access that document only.

mythz · April 1, 2017, 3:38am

You could create an “anonymous” User, i.e. a User that represents and anonymous user and assign keys to that user.

maggarwal · April 1, 2017, 3:41am

That’s a good idea. Also, any way to change apikey query parameter to key or auth or something more businessy?

mythz · April 1, 2017, 3:51am

You can override it with:

Keywords.ApiKeyParam = "key";