Xamarin使用WEB API（CORS）

Question

I have a secure web api protected with token, we have it CORS enabled, and we want to be sure that the API is only consumed by an angular APP and also by the Xamarin App (android, ios, uwp).

Normally with CORS you explicitly say which origin can consume the WEB API. However the xamarin apps are not an origin(domain name), so how can I check CORS here?

Answer 1

If you are using Async Web API then you could just add a check when overriding SendAsync which will force the API to validate the request before allowing it through to your actual code. Here is a mock example of how, showing how to do this by checking for a custom user agent string coming form your Xamarin mobile app. You could obviously easily change this to check something else proprietary about your Xamarin app all that comes in the request such as another custom header etc.

public class SecureMyApi : DelegatingHandler {
    protected async override Task<HttpResponseMessage> SendAsync(HttpRequestMessage request, System.Threading.CancellationToken cancellationToken)
    {
            // Extra security stop to verify mobile app should have access to API
            var httpRequest = HttpContext.Current.Request;

            if (!string.IsNullOrWhiteSpace(httpRequest.UserAgent) && (httpRequest.UserAgent.StartsWith(ConfigurationManager.AppSettings["MyCustomUserAgentString"])))
            {
                // Allow user to pass through
            }
            else
            {
                if (request.Method != HttpMethod.Get)
                {
                    return request.CreateErrorResponse(HttpStatusCode.BadRequest, "You do not have permission to access the requested endpoint.");
                }
            }

        return await base.SendAsync(request, cancellationToken);
    }
}