The Web API Framework in DataFlex

Lesson 5 - Implementing authentication

In this lesson, we’ll guide you through implementing authentication in your DataFlex Web API using the cWebApiAuthModifier. Let’s dive right in!

Step 1: Understand the Authentication Modifier
- The cWebApiModifier extends the base C Web API Modifier.
- The base modifier handles general stuff like logging (non-security related).
- The Authentication Modifier is designed to implement security mechanisms like Basic Auth, JWT Bearer, or API Keys.
Step 2: Implement the OnAuth Event
- Override the OnAuth event in your authentication modifier.
- This is where you write your custom logic (Basic Auth, JWT, API Key, etc.).
- Whenever bErr inside of the webapicallcontext struct is set to true the clients request will be denied.
Step 3: Define Security Rules with OnDefineAuthRules
- Override the OnDefineAuthRules event.
- Here you define a struct matching the security scheme that Swagger UI expects. For BasicAuth that would look something like the following.
  Swagger UI expects (in JSON):
  - basicAuth {
    type: “http”
    scheme: “basic”
    }
  - In DataFlex this would be implementing as the following:
    Struct basicAuth
    String type
    String scheme
    End_struct
    
    Object oBasicAuth is a cWebApiAuthModifier
    Set psSecuritySchemaName to “BasicAuth”
    
    Procedure OnDefineAuthRules Variant ByRef vSecurityStruct
    basicAuth basicauth
    
    Forward send OnDefineAuthRules (&vSecurityStruct)
    Move “http” to basicauth.type
    Move “basic” to basicauth.scheme
    
    Move basicauth to vSecurityStruct
    End_Procedure
    End_Object
  - This controls if endpoints show up as secured in Swagger UI.
Step 4: Create a Login Endpoint
- Use the cWebApiLoginEndpoint
  - Username (Write only, sent with requests but not returned in response)
  - Password (Same as username)
  - An additional read-only field returned upon successful login.
- Use the OnSetCalculatedValue in this additional field to return a token/key after successful login.
Step 5: Look at the Example Workspace
- The example workspace includes:
  - A router (e.g., OVersionOneRouter)
  - A login endpoint with username, password, and API key fields.
- The API key field is read-only (returned to the client).
- After a successful login, the session key is returned as the API key.
Step 6: Handle Requests with the Authentication Modifier
- Inside the authentication modifier’s OnAuth event:
  - Check if the Web Session Manager exists.
  - Call ValidateSession with the API key (session key).
  - If valid, allow access.
  - Check user rights per HTTP verb (GET, POST, PUT, PATCH, DELETE).
  - Return error if the user lacks permissions (with a “You don’t have sufficient rights” message).
Step 7: Test with Swagger UI
- Open Swagger UI for your API.
- Try sending a request to a secured endpoint (like vendorInventory) without a key.
- You’ll get an error — no access.
- Use the login endpoint to get an API key by sending valid credentials (e.g., Admin/admin).
- Copy the returned API key.
- Paste it in the authorization header for the secured endpoint.
- Now, your requests will succeed!
Step 8: Multiple Authentication Methods
- You can support multiple methods simultaneously:
  - Basic Authentication (username/password in header)
  - JWT Bearer tokens
- Control which HTTP verbs require authentication:
  - Example: GET requests may be public, but POST/PUT/PATCH/DELETE require login.
- Set this by configuring pbSecure for each verb. For example, pbSecureRead to false to allow anyone to access the GET verb.

Quick Pro Tip: To make a verb public (no auth needed), just set pbSecure to false for that verb. The API will let everyone access it.

The Web API Framework in DataFlex

DataFlex courses

Information

The Web API Framework in DataFlex

Lesson 5 - Implementing authentication