Login API
AppFormsLoginAPI is used to authenticate users from outside of AppForms site by using API. Authentication, Forgot password, Reset password etc. can be done by using this API.
By default, AppForms Login API will be hosted on the AppForms site in IIS as below structure.
smtLogin API URL will be like below.
AppFormsLoginAPI can be invoked by using below listed endpoints or methods marked in Blue.
1. For generating Token and Authentication Cookie : /token.
Request Body
grant_type: “password”
username: “admin”
password: “PassWordForAdmin”aut
Request Headers
Content-Type: application/x-www-form-urlencoded
Sample Response
2. For getting current user informations : /api/currentuserinfo
Sample request
Request Headers
Authorization: Bearer 5PkLjedqGpp-fUtZG2kpRbkhnlnJKXO0ISRCxVuMWCVDsGv3jPQ9GkSJGuRMw5u2NUP7Gx2yjgkZEEHRmBkwUrqTkYKkMAkhRhj-8Wmxyfd4N9HozS-U3rKDF1AlTlwHycSDvi9A0zHTkwHrUWJDapslGvR8TEIjv5IInuYKZLZFZSWXLlQLdPfGdzGq-Du3SvJhgw
Sample Response
3. Forgot password : /api/forgotpassword
Note : if user with corresponding email is present on AppForms MetaDB, Mail with configured settings and Key will be sent to the email for resetting password.
Sample request
Request Headers
Content-Type: application/json
Request Body
{ “Email” : “[email protected]” }
Sample response
Note : Response with message ‘Success’ will be returned If the mail sent successfully Otherwise it will return an empty string. Make sure the mail settings are configured properly in SMTP EMail in IIS for Login API. Also check the LoginAPI application settings for mail related entries. Example: Mail_IsAnonymousAuth, Mail_EnableSSL,etc
4. For reset password : /api/resetpassword
User can reset password by providing corresponding Key ( which was sent from forgot password mail ) with new password .
Request Headers
Content-Type: application/json
Request Body
{ “Browser”: “Google Chrome”, “BrowserVersion”: “98.0.4758.81”, “Details”: “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.81 Safari/537.36”, “IP”: “105.223.171.204”, “IsMobileDevice”: false, “Key”: “27f57602e54347ef85d055eabe588ef93e180caa96b44d2f8f40f3fc4a024f88”, “MobileDeviceManufacture”: “Sony”, “MobileDeviceModel”: “TouchScreen”, “Password”: “asdasd”, “UserHostAddress”: “247.74.48.245”, “UserHostName”: “device1.cunextgen.com”, }
Sample Response
Note : Response with message ‘Success’ will be returned If the password reset successfully Otherwise it will return an empty string. Also Key can be used only once and following requests will be ignored.
5. Check valid session : /api/checkvalidsession
This method is used to check valid session for a user by providing authentication token, it will return success message if the session is valid , otherwise it will return access denied (default authentication denied response)
Sample Request
Request Headers
Authorization: Bearer EiwD5pTF8k2RHMtVD8x59nmOKwqmGX7U4jmIRH23rTNEUy57vbZJ3oerL8FFMd9WNoJKwmhaxwsmcmnXJriT8ruVAOUbLHmidtGMbf-kTpYg3XSY7BQN7XN6OApjXValue1i0K1ccGN4TrV2r32hW1Oj48riBg_MwmmI40ZfZ0psapYVCH4PWhSQL-54nDTc-ynUQQ
Sample Response
Success message
Error message
6. Get user information by using accountname: /api/getuserinfobyname
This method is used to get user information only by using user accountname,
Note : This API endpoint is unauthenticated and will make API vulnerable if IP whitelisting is disabled.
Request
Sample request
Response
Note : Additional informations for the user can be selected from database by setting up BusinessDataConnectionString in LoginAPI. Make sure required DBScripts are executed before setting up BusinessDataConnectionString in LoginAPI.
7. Get user authentication cookie by using Token key/GUID : /api/getauthcookiebyuserkey
This method is used to get user authentication cookie (.ASPXAUTH) only by using token / GUID selected from Business DB,
Note : This API endpoint is unauthenticated and will make API vulnerable if IP whitelisting is disabled.Also Token/GUID should be inserted in Business DB’s corresponding table ‘TempUserLoginValidations’ in order to validate using LoginAPI
Request
Sample request
Response
8. Force logout a user using key/GUID when CookieValidation is configured in the site: / api/resetLoggedInFlag
This method is used to logout a user from site using cookieGUID or the Key corresponding to the Authentication Cookie. When CookieValidation module is configured in the site, all user requests will be validated using DB
For each user authenticated sessions, AuthenticationTicketGUID will be stored in DB which will be validated during each request sent from the client/browser
To remove AuthTicketId for logging out a user, API can be invoked as below,
Setting invalid attempt error message based on settings
By using configuration changes, we can set/change invalid attempt error messages.
To do this,
1.Open IIS
2.select AppForms login API application and select AppSettings
3.change Error_DetailedResponse and Error_RemainingLoginAttempts if needed
Error_DetailedResponse : Detailed error message will be shown in invalid attempt
{
“error”: “invalid_grant”,
“error_description”: “Your Login attempt was not successful.Please try again.”
}
Error_RemainingLoginAttempts :
{
“error”: “invalid_grant”,
“error_description”: “Your Login attempt was not successful.Please try again.”,
“remaining_attempts”: 0
}
If both settings are set to false, it will display as shown below on an invalid attempt
{
“error”: “invalid_grant”
}
Account lockout based on max invalid attempt count
User account can be locked based on invalid attempt count ,
If the count is greater than zero, it will check for the repeated invalid attempt until the count exceeds, after the invalid attempt count exceeds , then the user account will be automatically locked out and the administrator needs to manually unlock the corresponding user account by changing IsLocked column value in DB UserObjects Table.
The maxInvalidAttemptCount settings can be found on IIS by selecting
- Configuration Editor
- elect system.web/membership section
- click on providers
- select CustomMembershipProvider
- change maxInvalidPasswordAttempt to any real number
ConnectionString to AppForms Meta DB can be changed from IIS by selecting connectionString for the corresponding AppFormsLoginAPI Application. Follow the steps to modify connectionStrings
Step 1 : Open IIS and select AppFormsLoginAPI.
Step 2 : Double click on the ‘SecurityConnectionString’ and modify connectionString. After modification, click OK to save it.
To keep logs and exceptions in a different database , add connectionStrings with name ’ LogDataConnectionString’.
2. BusinessConnectionString
This connectionString can be used to select Additional User information by invoking /api/getuserinfobyname API endpoint .To get additional details, select ConnectionStrings option in /Security/LoginAPI application and add connectionStrings by clicking on Add button
Note : Run requrired DBScript for the Tables/SPs before setting up Business connectionStrings.
Sample SP is given below
CREATE PROCEDURE [dbo].[sps_GetCustomUserInfoByName] @username VARCHAR(500)
AS
BEGIN
SELECT [AccountNumber]
,[MemberId]
FROM [dbo].[MemberDetails]
WHERE UserName = @username
END
Sample response after setting up this connectionString is given below
AppFormsLoginAPI can be configured by using some configuration settings. This section contains configurations like ‘TokenExpireHours’, ‘RefreshTokenExpireHours’,’Mail settings’ etc.
These settings can be modified by following below steps,
Step 1 : Open IIS and select AppFormsLoginAPI inside Appforms Security site. By selecting Application Settings , user can modify values for each settings.
Mail_EnableSSL – enable ssl for mail settings.
Mail_IsAnonymousAuth – enable anonymous authentication for mail settings.
Mail_Body – mail body for forgot password,reset password etc.
Mail_Subject – set subject for mail settings.
RefreshTokenExpireHours – token expire hours for refreshToken.
TokenExpireHours – token expire hours.
WhiteListedIPs – Add required IP addresses in comma separated format. Use this option only for filtering the secured LoginAPI endpoints for the whitelisted IPs. Leave this field empty for removing IP filter functionality
Other settings (passwordIterations, Salt, KeySize etc.) should be same as on appforms site for performing login operations.
AppFormsLoginAPI related exceptions/errors can be found on ‘Logs’ folder inside Application directory.
User can get details of errors/exceptions by right clicking and selecting explore option on this Logs folder.