I am building a small REST server, which will be deployed to about 2 dozen people, and provide some data on an internal network.
I have the GET request setup and can return JSON of the data that I am requesting, but I would like to disallow anybody with a browser to be able to request the data. It isn't sensitive, but I would still like to limit access to the data via the REST server to the application that I write.
I am trying to pass in a key via the header in a TRESTClient during the GET request, but I am not able to access it on the server (and truth be told, I'm not even certain it is getting out of the client).
I've muddled my way this far through reading documentation, watching videos, and reading forums such as this.
I am getting my data back, but am unsure if I'm anywhere close to properly transmitting the header fields and retrieving them on the server.
My GET procedure on the server looks like this:
procedure TWebModule1.WebModule1WebActionItemSiteOrdersGETAction( Sender: TObject; Request: TWebRequest; Response: TWebResponse; var Handled: Boolean);var lParameters : TStringDynArray; orderRes : TArray<OrderHeader>; jsonResult : string; I: Integer; dataQuery : TDataQuery; authToken : string;begin lParameters := GetParameters((Sender as TWebActionItem).PathInfo,Request.PathInfo);//HERE I TRY TO ACCESS THE HEADER DATA authToken := Request.GetFieldByName('apikey'); if Length(lParameters) >= 3 then begin try Response.ContentType := 'application/json;charset=utf-8'; dataQuery := TDataQuery.Create; orderRes := dataQuery.getOrders(lParameters[0],lParameters[1],lParameters[2]); if Length(orderRes) > 0 then begin jsonResult := '['; for I := 0 to Length(orderRes) - 1 do begin if i = 0 then jsonResult := jsonResult +'{"key": "'+ orderRes[i].orderKey +'","order": "'+ orderRes[i].orderID +'","orderDate": "'+ orderRes[i].orderDate +'","orderStatus":"'+ orderRes[i].orderStatus +'","vendorNo": "'+ orderRes[i].orderVendID +'","vendorName": "'+ orderRes[i].orderVendName +'"}' else jsonResult := jsonResult +',{"key": "'+ orderRes[i].orderKey +'","order": "'+ orderRes[i].orderID +'","orderDate": "'+ orderRes[i].orderDate +'","orderStatus":"'+ orderRes[i].orderStatus +'","vendorNo": "'+ orderRes[i].orderVendID +'","vendorName": "'+ orderRes[i].orderVendName +'"}' end; jsonResult := jsonResult +']'; Response.Content := jsonResult; end else Response.Content := '{"error":"Item not found"}'; finally dataQuery.Destroy; dataQuery := nil; end; end; Handled := true;end;//Here is my Test Client Call (I am doing a GET)procedure TForm2.btnGETClick(Sender: TObject);var JSONValue : TJSONValue; strResponse : string;begin RestClient1.BaseURL := edtURL.Text; //SETTING THE HEADER DATA TO PASS IN, I WAS NOT SURE IF THE HEADER CAME IN //AT THE CLIENT OR REQUEST LEVEL SO I TRIED BOTH RestClient1.SetHTTPHeader('apikey','1234567'); RestClient1.Params.ParameterByName('apikey').Value := '1234568'; RestRequest1.Params.ParameterByName('apikey').Value := '1234569'; RestRequest1.Execute; try strResponse := RestResponse1.Content; memResp.Text := strResponse; finally end;end;Update
I'm answering my own question after playing around with the TRESTRequest:
procedure TForm2.btnGETPOSTClick(Sender: TObject);var JSONValue : TJSONValue; strResponse : string;begin RestClient1.BaseURL := edtURL.Text;//I found this nifty "AddAuthParameter" proc and got it working thusly RestRequest1.AddAuthParameter('apikey','123456789A',pkHTTPHEADER); RestRequest1.Execute; try strResponse := RestResponse1.Content; memResp.Text := strResponse; finally end;end;