How do I put a value from a different domain in my Model through a WebAPI Controller using CORS?

Question

The application takes requests from a different, non-ASP.NET web application. I've implemented Cross-Origin Resource Sharing and now I need to get a value from the request.

My Model

  public class User
{
    public int userID { get; set;}
    public string username { get; set; }
    public string password { get; set;}
    public int group { get; set; }
    public string permission { get; set;} 
}

My Controller

   [EnableCors("*", "*", "*")]

public class LoginController : ApiController
{
    public User[] PutUser()
    {
       //this is where I want to create a user through requests to further work with the application
    }
}

How could I do this?

Answer 1

I have implemented something similar in an MVC project where I'm calling to our application from a different domain. To do this, you need to add the Access-Control-Allow-Origin header with value of the Origin (origin of the request) to your response. I imagine this method will work for web api too. You don't want to allow requests from any website! This method will allow you to respond to the initial request, which it seems like you want to do as you're returning an array of users.

I found the easiest way was to create an attribute that you can decorate your methods with:

        public class AllowCrossSiteAttribute : ActionFilterAttribute
        {
            public override void OnActionExecuting(ActionExecutingContext filterContext)
            {
                switch (filterContext.RequestContext.HttpContext.Request.Headers["Origin"])
                {
                    case "https://myotherwebsite1.com":
                        filterContext.RequestContext.HttpContext.Response.AddHeader("Access-Control-Allow-Origin", filterContext.RequestContext.HttpContext.Request.Headers["Origin"]);
                        break;
                    case "https://myotherwebsite2.com":
                        filterContext.RequestContext.HttpContext.Response.AddHeader("Access-Control-Allow-Origin", filterContext.RequestContext.HttpContext.Request.Headers["Origin"]);
                        break;
                    default:
                        filterContext.Result = new EmptyResult();
                        break;
                }

                base.OnActionExecuting(filterContext);
            }
        }

The switch statement checks the origin and makes sure it's from a trusted source. You don't need to hard code these, but for talk sake I have. If you get a match we add the appropriate header to the response.

You can then decorate your method with this attribute:

[AllowCrossSite]
public class LoginController : ApiController
{
    public User[] PutUser()
    {
       //this is where I want to create a user through requests to further work with the application
    }
}

To actually send data from the other application you could use a jquery Ajax request or just a form post, but make sure the method is set to PUT or POST (depending on what you want to do, it's unclear from the naming) if your application relies on verbs.

You could gather the requested data in a FormDataCollection I believe:

public public User[] PutUser(FormDataCollection form)
{
   //...
}