Use some Serenity methods as REST API for public site

[rymk14]

I am looking for suggestions on the best approach to meet a project requirement I have.

We are building an application with Serenity and have the need to create a separate Angular SPA that will display the data that is managed by our Serenity / SmartSharp app. We'd like to just have the Angular app call the Serenity API methods that already exist; we can use your filter objects and handle the List results as-is.

Now we are setting up the Angular App and starting to call the Serenity APIs and running into some issues since our Angular app is public and does not require authentication. We'd like to call the Serenity REST methods as anonymous users.

After several failed attempts we were able to get Angular SPA to connect to the Serenity API method, but i am not sure if this is the recommended approach as it looks like I will bypass permissions on the entire controller and that is not the goal, we only want some methods to allow anonymous requests.

Here is our code that allows the anonymous request in and returns data from the db(without any user authentication):

public interface IProgramListHandler : IListHandler<MyRow, MyRequest, MyResponse> { }

public class ProgramListHandler : ListRequestHandler<MyRow, MyRequest, MyResponse>, IProgramListHandler
{
    public ProgramListHandler(IRequestContext context)
            : base(context)
    {
    }

    protected override void ValidatePermissions()
    {
        // Override to skip permission check
        //return true;
    }
}

and

[Route("Services/MyApp/Program/[action]")]
[ConnectionKey(typeof(MyRow)), ServiceAuthorize("*")] //, ServiceAuthorize(typeof(MyRow))]
public class ProgramEndpoint : ServiceEndpoint
{

    [HttpPost]//, AuthorizeList(typeof(MyRow))]
    [AllowAnonymous]
    [IgnoreAntiforgeryToken]
    public ListResponse<MyRow> List(IDbConnection connection, ListRequest request,
        [FromServices] IProgramListHandler handler)
    {
        return handler.List(connection, request);
    }
}

and my angular call is simple and without any sort of user auth or token:

getAllPrograms(): Observable<ProgramsResponse>
 {
     let programQuery: ProgramsQuery = new ProgramsQuery();
     programQuery.Take = 100;
     programQuery.EqualityFilter = {"ColumnTests": null, "Active":null, "Name":null};
     programQuery.IncludeColumns = ["ProgramId","PublicFacingName",
     ,"Email","PublicPhoneNumber","Website","Active"];
     return this._httpClient.post<ProgramsResponse>('Program/List', programQuery);
}

Thanks for your help. I appreciate any insight and alternative approaches to allow an anonymous Angular app to call the Serenity REST API to get data.

[LSNicholls]

I am doing something like this. But I don't put ServiceAuthorize("*") on the Controller level, actually I've left ServiceAuthorize(typeof(MyRow)) in place there. Then you can put the ServiceAuthorize("*") along with HttpPost on the single method, like an override for that method. I would have expected that to work for you as well. (I have never used [AllowAnonymous], maybe that would work too.) Does this not work for you?

[rymk14]

Thanks for your reply. It is reassuring to hear others are using similar methods to make some of the REST methods accessible. The example is working, it just felt like I make be making access to the REST methods too available.

Per your note, I'll move the [ServiceAuthorize("*")] attribute to each single method we want to make publicly accessible. This alleviates my security concerns. I'll test tonight to be sure. Thanks again!

After more testing, we realize no [AllowAnonymous] does not work and should be removed from the code I pasted above.

[LSNicholls]

I guess it depends on what you are doing whether the attribute is a security concern or not. I have made sure that the method(s) that I expose that way are very non-destructive and cannot be done in any other way.

Thank you for letting me know that [AllowAnonymous] doesn't actually work! I thought it was yet another recent Serenity feature I had overlooked!