public class ImportController : UmbracoApiController
{
[HttpGet]
[UmbracoAuthorize]
public HttpResponseMessage Import(string agency = "", string startDate = "", string endDate = "")
{
}
}
but it seems in only works with a request inside Umbraco - so not when logged in Umbraco backoffice and submitting a request from another browser window/tab or an Ajax request in browser console in the browser window.
Is the only options then to use e.g. a dashboard with a button that request the API method via Ajax?
Sorry for the late reply, we use [UmbracoAuthorize] on the courses all the time. We use it with both AJAX calls and accessing it as a URL directly, so I'm sure it works.
I'm confused as to what you're trying to do though:
A request on the frontend using AJAX?
A request in the backoffice using AJAX?
A manual request to a URL, logged into the frontend?
A manual request to a URL, logged into the backoffice?
For backoffice requests you need to use UmbracoAuthorizedApiController instead. If you need to check if someone is both logged into the frontend AND the backoffice. that a whole other story again.
What I was trying was A manual request to a URL, logged into the backoffice
We have some reviews returned as json, from another url and would like to import these as Umbraco nodes.
For that I have this ApiController, but I was looking into if it was possible to only request the method when logged into backoffice (in another browser window/tab). But when I have added [UmbracoAuthorize] I get an response message that it is not authorized even logged into backoffice in another browser tab. (Umbraco 7.4.1)
And UmbracoAuthorizedApiController is only for request made from inside the backoffice, right?
But because there also are a lot of reviews we would like to import these late night (at least the first time, later probably in smaller chunks - e.g. reviews within last month).
At the moment we have a Windows scheduled task to run at 00:05.
Is there another way to e.g. authorize with credentials that the scheduled task can use?
Ideally we don't want theoretically everyone to be able to request the Web Api method and one don't need to comment/uncomment code when we want to run the code.
A manual request to a URL, logged into the backoffice
Alright, you have to use UmbracoAuthorizedApiController for that
As for the import schedule: the way I would do it is to have a regular UmbracoApiController that gets called something like so: site.com/umbraco/api/GetImport?secret=1234567890
The secret I would store in an app setting in the web.config for example and compare it as the first thing in the UmbracoApiController to make sure only someone who knows the secret calls it. However, this is almost not secure, so be aware that there might be a man in the middle sniffing the URL with the secret in it. It's difficult to do this correctly, it would require passing around tokens over HTTPS connections and I don't know much exactly how to make this very secure.
A more secure way (and the way I'd solve it in my own hacky way) is to make it a POST, so some kind of console app that does a POST to an UmbracoApiController. The secret can then be in the body of the POST, which is completely secure if the server is running on HTTPS.
Hope this all makes sense (key message: security is hard).
Okay, it is a request to the Web Api, but not inside Umbraco context. The UmbracoAuthorizedApiController is only when the request happens inside backoffice right? Otherwise is think one will just get a blank page and an error message in network tab in console window.
Okay, it might make a bit more safe with a secret key in the url although there might man in the middle sniffing the url and secret key. But would be harder just to guess..
It is not critical that it is not completely safe, but would be great the make it a bit safer, because the import might take some time depending on how much data we request and it takes some time via ContentService to create or update Review nodes with data for each property.
If you're running a scheduled task then you could just run it on the same machine as the website runs on, that doesn't need to go outside of the network so there shouldn't be a MitM.
You could even put this import in the scheduled tasks in umbracoSettings.config, adding the key in the querystring and verifying it against the one in web.config - obviously you will want to keep both config files private then. :)
Just to make sure, I would configure a localhost domain for this and also check that the request is coming from localhost so that you're sure it never goes over the public internet or that the URL is publicly accessible.
All this seems hacky and I'm sure there's better ways!
Obviously, if you still need to be able to trigger the import manually, you'd need a second endpoint that doesn't do this localhost check and is attributed with UmbracoAuthorizedApiController, assuming you'd want to trigger it from the backoffice.
Can scheduled tasks added in umbracoSettings.config run at a specific time like Windows scheduled tasks? When I had at look at it first, it seems only to support to run on a specific interval.
https://our.umbraco.org/wiki/install-and-setup/scheduled-tasks/
If you want to run it for every 24 hour, can one control at which time then or is it just from when it was triggered first time?
Submit request to Web API when logged in
In Web API it is possible to secure the Web API controller and methods with
[UmbracoAuthorize]attribute: https://our.umbraco.org/documentation/reference/routing/webapi/authorizationbut it seems in only works with a request inside Umbraco - so not when logged in Umbraco backoffice and submitting a request from another browser window/tab or an Ajax request in browser console in the browser window.
Is the only options then to use e.g. a dashboard with a button that request the API method via Ajax?
/Bjarne
Sorry for the late reply, we use
[UmbracoAuthorize]on the courses all the time. We use it with both AJAX calls and accessing it as a URL directly, so I'm sure it works.I'm confused as to what you're trying to do though:
For backoffice requests you need to use
UmbracoAuthorizedApiControllerinstead. If you need to check if someone is both logged into the frontend AND the backoffice. that a whole other story again.Hi Sebastiaan
What I was trying was A manual request to a URL, logged into the backoffice
We have some reviews returned as json, from another url and would like to import these as Umbraco nodes.
For that I have this ApiController, but I was looking into if it was possible to only request the method when logged into backoffice (in another browser window/tab). But when I have added
[UmbracoAuthorize]I get an response message that it is not authorized even logged into backoffice in another browser tab. (Umbraco 7.4.1)And
UmbracoAuthorizedApiControlleris only for request made from inside the backoffice, right?But because there also are a lot of reviews we would like to import these late night (at least the first time, later probably in smaller chunks - e.g. reviews within last month).
At the moment we have a Windows scheduled task to run at 00:05. Is there another way to e.g. authorize with credentials that the scheduled task can use?
Ideally we don't want theoretically everyone to be able to request the Web Api method and one don't need to comment/uncomment code when we want to run the code.
/Bjarne
Alright, you have to use
UmbracoAuthorizedApiControllerfor thatAs for the import schedule: the way I would do it is to have a regular
UmbracoApiControllerthat gets called something like so:site.com/umbraco/api/GetImport?secret=1234567890The secret I would store in an app setting in the web.config for example and compare it as the first thing in the
UmbracoApiControllerto make sure only someone who knows the secret calls it. However, this is almost not secure, so be aware that there might be a man in the middle sniffing the URL with the secret in it. It's difficult to do this correctly, it would require passing around tokens over HTTPS connections and I don't know much exactly how to make this very secure.A more secure way (and the way I'd solve it in my own hacky way) is to make it a POST, so some kind of console app that does a POST to an
UmbracoApiController. The secret can then be in the body of the POST, which is completely secure if the server is running on HTTPS.Hope this all makes sense (key message: security is hard).
Okay, it is a request to the Web Api, but not inside Umbraco context. The
UmbracoAuthorizedApiControlleris only when the request happens inside backoffice right? Otherwise is think one will just get a blank page and an error message in network tab in console window.Okay, it might make a bit more safe with a secret key in the url although there might man in the middle sniffing the url and secret key. But would be harder just to guess..
I am not sure how
[UmbracoAuthorize]works, but in Web API 2 it seems that you can submit credentials in headers and check for authorization, but is probably only safe when it happens over HTTPS. http://www.asp.net/web-api/overview/security/authentication-filtersIt is not critical that it is not completely safe, but would be great the make it a bit safer, because the import might take some time depending on how much data we request and it takes some time via
ContentServiceto create or update Review nodes with data for each property.If you're running a scheduled task then you could just run it on the same machine as the website runs on, that doesn't need to go outside of the network so there shouldn't be a MitM.
You could even put this import in the scheduled tasks in umbracoSettings.config, adding the key in the querystring and verifying it against the one in web.config - obviously you will want to keep both config files private then. :)
Just to make sure, I would configure a
localhostdomain for this and also check that the request is coming fromlocalhostso that you're sure it never goes over the public internet or that the URL is publicly accessible.All this seems hacky and I'm sure there's better ways!
Obviously, if you still need to be able to trigger the import manually, you'd need a second endpoint that doesn't do this localhost check and is attributed with
UmbracoAuthorizedApiController, assuming you'd want to trigger it from the backoffice.Can scheduled tasks added in umbracoSettings.config run at a specific time like Windows scheduled tasks? When I had at look at it first, it seems only to support to run on a specific interval. https://our.umbraco.org/wiki/install-and-setup/scheduled-tasks/
If you want to run it for every 24 hour, can one control at which time then or is it just from when it was triggered first time?
I just noticed this old TaskScheduler package https://our.umbraco.org/projects/developer-tools/taskscheduler/ but also this newer package for Umbraco 7 https://our.umbraco.org/projects/backoffice-extensions/url-task-scheduler-for-v7/
Ah yes, forgot they only run every x minutes, there's no way to control the actual time it runs at.
An option might be to run the task every 5 minutes and then in code compare the actual time. https://our.umbraco.org/forum/umbraco-7/using-umbraco-7/70303-scheduled-tasks-certain-time-at-2pm
But https://our.umbraco.org/projects/backoffice-extensions/url-task-scheduler-for-v7/ might be a worth testing
is working on a reply...