How to use a MVC WebAPI OData endpoint securely?

Question

I have an OData endpoint defined at ~/odata/, which doesn\'t need to be accessed unless a user has been authenticated (in fact, how would you secure this for no

Answer 1

So the major hurdle to get past is thinking that all WebAPI requests (using the OData syntax) are stateless. Of course, in a stateless environment this makes this more difficult.

However, with the WebAPI endpoint secured through web.config requiring an authenticated (stateful) request, we should be able to grab the UserName (or UserID or any other custom property when using a custom membership provider), by something like var userId = ((CustomIdentity)HttpContext.Current.User.Identity).UserId.

Once this is established, we will need to add something like "WHERE UserID = userId;" before the request is issued:

        var unitOfWork = new Repository.UnitOfWork(_db);

        var users = options.ApplyTo(unitOfWork.Repository().Queryable
            .Include(w => w.NavigationProperty1)
            .Where(u => u.UserId == UserContext.Identity.UserId)
            .OrderBy(o => o.SomeProperty))
            .Cast().ToList();

Additional suggestions welcome.