Configuration

LS One API is configurable through a json file located in the root folder of the API called appsettings.json.

By default the file contains dummy settings for database connection, mail sending and a very lax security model.

Database connectivity

The database settings are contained in the DatabaseConnectionSettings element from appsettings.json file.

Configuration Description
Server Database server name or IP
User User assigned as owner of LS One database
Password Database user password
DatabaseName Name of the LS One database
ConnectionType

LS One database connection type

  • SharedMemory

  • TCP_IP

  • NamedPipes

Email

The email settings are contained in the EmailSettings element from appsettings.json file.

Configuration Description
Mail server Mail server IP or DNS name
Port SMTP port
UserName Am existing and active user from the mail server
Password Password of the user

Miscelaneous

Configuration Description
ServiceBasePathOverride

A custom path to a folder containing customized LS One services , that should override the default ones

Useful in development, where the LS One API can be configured to use LS One services from DevPack build folders
PermissionGroupName

LS One permission group used by the API

Default: API

Security

Security settings for LS One API are contained in the JwtSettings, CORS and IPRateLimiting root elements from appsettings.json file. HTTPS is configurable in the Kestrel:Endpoints element.

Authentication (JWT) token

Configuration Description
Key JWT token signature key
Issuer

Issuer of the JWT token
Audience

Audience for the JWT token
DurationInSeconds

Validity of the JWT authentication token in seconds

Default: 1200

JwtSettings:RefreshTokenDurationInHours

Validity of the refresh token in hours

Default: 24

CORS and API rate limiting

The CORS settings are contained in several elements from appsettings.{environment}.json files:

  • AllowAllCrossOrigins

  • CORS

  • IpRateLimiting

Configuration Description
AllowAllCrossOrigins This setting is used for development purpose to allow access for all domains/origins, verb methods and request headers.
CORS:AllowedOrigins

Used to restrict cross-origin access to a specific set of domains. Adding a domain to this setting will allow access from that domain to LSOne API.

Example: "AllowedOrigins": [ "http://localhost:4200", "http://localhost:8080" ]"

CORS:AllowedMethods

Used to specify what HTTP methods are allowed to be called (GET, POST, PUT, DELETE).

It is an OPTIONS request made to the server to check whether the server actually "allows" such request from the client if made.

Example: "AllowedMethods": [ "GET", "POST", "PUT", "DELETE", "OPTIONS" ]"

CORS:AllowedHeaders

Used to restrict requests on specific Headers (X-Request-Token, Accept, Content-Type, Authorization) we add the list of allowed headers

Example: "AllowedHeaders": [ "X-Request-Token", "Accept", "Content-Type", "Authorization" ]"

IpRateLimiting

To prevent the API endpoint from being abused,it is possible to enforce a rate limit on the number of requests that a client can consume over a time period.

The project's rate limit is set to be 2 requests per second. You can change the rate limit based on the software requirements accordingly.
IpRateLimiting:EnableEndpointRateLimiting

IP rate limits are applied to specific endpoints.
IpRateLimiting:StackBlockedRequests

Set to false, so the rejected API call is not added to the call count
IpRateLimiting:RealIPHeader

The RealIpHeader is used to extract the client IP when your Kestrel server is behind a reverse proxy, if your proxy uses a different header then "X-Real-IP" use this option to set it up

IpRateLimiting:ClientIdHeader

The ClientIdHeader is used to extract the client id for white listing. If a client id is present in this header and matches a value specified in "ClientWhitelist" then no rate limits are applied

Client whitelist ex: "ClientWhitelist": [ "dev-id-1", "dev-id-2" ]

IpRateLimiting:HttpStatusCode

If the request gets blocked then the client receives a text response like this:


Status Code: 429
Retry-After: 58
Content: API calls quota exceeded! maximum admitted 2 per 1m.

You can customize the response by changing this option "HttpStatusCode"
IpRateLimiting:GeneralRules:Endpoint

A rule is composed of an endpoint, a period and a limit

Endpoint format is {HTTP_Verb}:{PATH}, you can target any HTTP verb by using the asterix symbol

Example: "*:/api/*"

-any HTTP verb (“*:”), all URLs that start with “/api/” and end with anything (“*”)

IpRateLimiting:GeneralRules:Period

Rule for the period of time in which the endpoint calls are count

Example: "1s"

IpRateLimiting:GeneralRules:Limit

Indicates the number of calls can be performed on an endpoint in the period of time defined

Example: 2

Additional information about CORS and how to set it up is available in the official ASP.NET Core documentation

 

Logging

LS One API use the default logging mechanism from .NET 5.0 and Serilog as the log provider.

LogLevel indicates the severity of the log and has 6 levels:

  • Trace = 0

  • Debug = 1

  • Information = 2

  • Warning = 3

  • Error = 4

  • Critical = 5

  • None = 6

Default log level if none is specified is Information.


"Logging": {
  "LogLevel": {
    "Default": "Information",
    "Microsoft": "Warning",
    "Microsoft.Hosting.Lifetime": "Information"
  }
},
"Serilog": {
  "MinimumLevel": {
    "Default": "Information",
    "Override": {
      "Microsoft": "Warning",
      "System": "Warning"
    }
  },...