在Web API中，验证API调用，在请求有效或用户绕过某些调用的最佳方法是什么？

Question

Thanks, I am developing one rest API in Dot.Net core. I need to secure my API calls while accessing.

I have 10 rest API calls, here few of them,

1. ValidateUser,
2. UploadDocument
3. VerifyDocument
4. ApproveDocument
5. EligibleForPersonalLoan.

The order of these calls should be sequential order, what bulleted above Example: 1 -> 2 -> 3 -> 4 -> 5 -> 6.

if byepasser make a call request "2.UploadDocument" after the "5. EligibleForPersonalLoan" call, and this request is wrong and in this scenario the user has byepassed two calls(3 and 4), so here i want to return 'invalid request' error message. So how to handle this scenario.

Answer 1

You could easily managed it by introducing a new enum called "LoanStatus"

public class Loan 
{

    public long Id { get; set; }

    public virtual User User{ get; set; }

    public virtual List<Document> Documents{ get; set; }

    public LoanStatus LoanStatus{ get; set; }

}

public enum LoanStatus
{       
   UserValidated,
   DocumentUploaded,
   DocumentVerified,
   DocumentApproved,
   LoanEligibility...
}

Each time a WebApi is called you check the LoanStatus property and see if it's in the expected status otherwise you throw a forbidden request. If the status is the one expected you do all your logic and then you change the status of the entity.

[HttpGet]
[Route("verifydocument/{loadId:long}")]
public IHttpActionResult VerifyDocument(long loadId)
    {
        try
        {
            var loan= _loanService.FindLoanById(loadId);
            if (loan.LoanStatus!=null && loan.LoanStatus.Equals(LoanStatus.DocumentUploaded)
            //Do logic for the verifyDocument and update the LoanStatus to DocumentVerified
            {  
               return Ok(loanUpdated);
            }
            return Forbid();
        }
        catch (Exception exception)
        {
            return InternalServerError(exception);
        }
    }