Throttling actions in WebApi using AttributeFilter

I recently had to come up with a solution to throttle an action in an API i’ve written.
First thing I did was to see what others had used (No reason to invent the wheel right?).
I came across this stackoverflow answer – which is basically what I will use in this blog post (mostly for a reminder to myself I guess).
Full credits go to Jarrod Dixon

The Attribute

The Annotation

Since it’s an attribute, we just annote it to an action
The attribute takes a unique name, amount of seconds and the message to return.
If the action is run more often than allowed, the action will return 409 - conflict

Authorization using tokens in WebAPI

Implementing token based authorization isn’t as hard as it might seem, not with the right tools atleast.
The very brief introduction to Tokens can be derived from the following image;
Token authentication
You Authenticate with a username/password (or something else).
The Server validates the credentials and spits back a token.
The Token is then used for subsequent calls until it expires.


There are basically three ways of getting a token to the server
1. The URL GET"".
2. The payload (body) which means you will need to POST to all endpoints (not RESTful)
3. A Header of some sort (generally the Authorization header.
In this post I am going use the Authorization header.
The token type will be Json Web Tokens.
I like JWTokens because they contain everything related to the user, although they do have a significant size to them.

JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret (with HMAC algorithm) or a public/private key pair using RSA.

You can
In this post I will also be signing the token using HMAC to secure it from tampering.
What we will be doing is the following;

  • Install needed NuGet packages.
  • Create models to hold a User and the AuthToken.
  • Create a TokenProvider interface and a Json Web Token Provider to create the token.
  • Create a controller to authenticate using Username/Password.
  • Create a Token Authorization Attribute to be used either in webapiconfig.cs or on individual controllers/actions.

Add Nuget Packages.

This could be done without the ThinkTecture one, but I feel like it adds some value.

Create a model to hold the token, this is just a poco containing the token and an expiration time

Next, I’ll create another poco to hold the username/password and Roles associated with the user.

The roles will be assigned on authenticating through the AccountController (which we will do later on).

Create a provider interface and create a JsonWebTokenProvider

The provider will need 2 methods

  • Create a token
  • Validate a token

Interface done, lets move on to the concrete implementation.
There are a few parts we need to handle.
Firstly, we need a few token specific fields namely,

  • Audience – The audience that will be accessing your API
  • Issuer – You..
  • Key – to be used as the HMAC Private Key (Should be unique and safeguarded)
  • SigningCredential – the HMAC signing credential to be used in the header of the JWT –

The signingCredential will be instantiated in the default constructor as you can see in the gist.

Now lets abide by the Interface.
The CreateToken method:
We create a token that is valid for 15 minutes based on the user claims and serialize it to a string.

The ValidateToken method:
We validate a given tokenString based on some validation parameters.

Create AccountController

Here I’ve created 1 method authenticate
Which matches a username/password and creates and returns a token based off that user. The action needs to allow anonymous-access, as we will be adding the Authorization Attribute globally.

We can now authenticate by doing a POST to /account/authenticate?username=admin&password=1235


The Authorization Attribute…
Let’s dive right in.
This attribute looks for the Authorization: Bearer {Token} header. If the header is present, and the Token is valid, the Principal gets set and the user is authorized, else a 401 is returned.
I’ve also allowed using the [AllowAnonymous] attribute for the account/authenticate action. and since we are already using claims, we will be able to use the [Authorize] attribute to check roles as well.

Finishing up

All that is left to do, is adding the attribute to WebApiConfig.cs and maybe decorating controller actions with [Authorize(Roles = "Admin")]
The following will make sure that ALL actions (except ones decorated with the [AllowAnonymous] attribute) is secured.

Now you can add [Authorize(Roles = "Admin")] to actions that needs to check roles as well (if needed).

Further more

Alot can be refactored from the code provided, I will leave that up to the reader to decide where and how – I have tried to keep is as simple and as short as possible, therefor I have left out refactorings that I, myself have done.