Developer forum

Forum » Development » 500 server error with a custom api

500 server error with a custom api

E-mail notifications
Fabio Monte
Reply
Posted on 24/10/2024 22:32:29

Hello

I'm encountering a 500 server error when setting up a custom api. The goal is to gather custom user info from a quiz and save it into a custom table we created but I may be missing a piece of the puzzle in the setup.

For this an api was registered:

namespace Quiz.App_Start
{
  public class QuizRegistration : APIRegistrationBase
  {
    protected override List<string> ControllerVersions => new List<string>()
    {
      nameof(QuizResultsController)
    };

    protected override string CurrentControllerVersion => nameof(QuizResultsController);

    protected override string ControllerName => "Quiz";
  }
}

The QuizResultsModel.cs:

namespace Quiz.Model
{
  public class QuizResultsModel
  {
    public int UserId { get; set; }
    public int Score { get; set; }
    public int SuccessCount { get; set; }
    public int FailCount { get; set; }
    public DateTime DateAttempted { get; set; }
    public TimeSpan TimeTaken { get; set; }
  }
}

QuizService.cs:

namespace Quiz.Service
{
  public class QuizService
  {
    public static ResponseStatus SaveQuizResult(QuizResultsModel quizResult)
    {
      ResponseStatus responseStatus = new ResponseStatus();
      string sql = @"INSERT INTO QuizResults (UserId, SuccessCount, FailCount, Score, DateAttempted, TimeTaken)
        VALUES (@UserId, @SuccessCount, @FailCount, @Score, @DateAttempted, @TimeTaken);
        SELECT SCOPE_IDENTITY();";

      try
      {
        using (var connection = new SqlConnection(Database.CreateConnection().ConnectionString))
        using (var command = new SqlCommand(sql, connection))
        {
          command.Parameters.AddWithValue("@UserId", quizResult.UserId);
          command.Parameters.AddWithValue("@SuccessCount", quizResult.SuccessCount);
          command.Parameters.AddWithValue("@FailCount", quizResult.FailCount);
          command.Parameters.AddWithValue("@Score", quizResult.Score);
          command.Parameters.AddWithValue("@DateAttempted", quizResult.DateAttempted);
          command.Parameters.AddWithValue("@TimeTaken", quizResult.TimeTaken);

          connection.Open();
          var quizResults = command.ExecuteScalar();
          responseStatus.HttpStatusCode = HttpStatusCode.OK;
          responseStatus.HttpStatusMessage = "Quiz result saved successfully " + quizResults;
        }
      }
      catch (Exception ex)
      {
        responseStatus.HttpStatusCode = HttpStatusCode.InternalServerError;
        responseStatus.HttpStatusMessage = ex.Message;
      }

      return responseStatus;
    }
  }
}

QuizResultsController.cs:

namespace Quiz.Controllers
{
  [RoutePrefix("someapi/Quiz")]
  public class QuizResultsController : ApiController
  {
    [HttpPost]
    [Route("SaveQuizResults")]
    public IHttpActionResult SaveQuizResults(QuizResultsModel quizResult)
    {
      var result = QuizService.SaveQuizResult(quizResult);
      return Ok(result);
    }
  }
}

The client side code that makes the request to the api:

function saveQuizMetricsData(){
fetch('/dwapi/Quiz/SaveQuizResults', {
    method: 'POST',
    body: JSON.stringify({
        QuizId: 1,
        UserId: 2,
        SuccessCount: 1,
        FailCount: 0,
        Score: 75,
        DateAttempted: '10/23/2024',
        TimeTaken: '01:22'
    }),
    headers: {
        'Content-Type': 'application/json'
    },
})
.then(response =>  response.json())
    .then((data) => {
        console.log(data)
    })
.catch(error => {
    console.log(error)
})
.finally(() => {
    console.log('data saved into database')
});

 It's the fetch resource that is causing the 500 server error, so the api may not be properly registered or I haven't set up this correctly and would like to get more insights on how to do it.


Replies

 
Nicolai Pedersen Dynamicweb Employee
Nicolai Pedersen
Posted on 25/10/2024 00:47:45
Reply

And what is the error?

 
Fabio Monte
Posted on 25/10/2024 17:04:22
Reply

It's returning "Failed to load resource: the server responded with a status of 500 ()  There is a problem with the resource you are looking for..." https://localhost/dwapi/Quiz/SaveQuizResults)

I've looked into the logs or the event viewer but there weren't anything related to what is causing the issue, but pointing to an issue with the resource may seem like it isn't properly set up?

 
Imar Spaanjaars Dynamicweb Employee
Imar Spaanjaars
Posted on 27/10/2024 15:54:02
Reply

If it's a 500 error, I think that means that the controller works and is throwing an error. Did you try debugging the action method and see what QuizService.SaveQuizResult does?

 
Nicolai Pedersen Dynamicweb Employee
Nicolai Pedersen
Posted on 28/10/2024 11:20:51
Reply

I noticed you have placed a custom controller under /dwapi route - that is not advised. Place it under /customapi or something specific your project. 

 
Fabio Monte
Posted on 19/11/2024 20:32:51
Reply

Sorry for the late reply, just got back into this.

So the "connection" variable in the service was returning a string without the password "User Id=username;Initial Catalog=dbname;Server=myserver;Min Pool Size = 5; Max Pool Size=200;" and the SSMS logs were registering a failed login for my user. Isn't this coming from what's stored in the Database > Setup > Settings?

Initially parameterized queries were implemented to prevent Sql injection but we changed it to hardcoded queries but I'm not so sure this should be kept or not in case DW handles it.

Here's the current code, which is working fine and saving to the database:
 

public static ResponseStatus SaveQuizResult(QuizResults quizResult)
{
    ResponseStatus responseStatus = new ResponseStatus();
    string sql = $@"INSERT INTO QuizResults (UserId, Score, SuccessCount, FailCount, TimeTaken, CourseId)
               VALUES ('{quizResult.UserId}', '{quizResult.Score}', '{quizResult.SuccessCount}', '{quizResult.FailCount}', '{quizResult.TimeTaken}', '{quizResult.CourseId}')";

    try
    {
        Database.ExecuteScalar(sql);
        responseStatus.HttpStatusCode = HttpStatusCode.OK;
        responseStatus.HttpStatusMessage = "Quiz result saved successfully ";
    }
    catch (Exception ex)
    {
        responseStatus.HttpStatusCode = HttpStatusCode.InternalServerError;
        responseStatus.HttpStatusMessage = ex.Message;
    }

    return responseStatus;
}
 
Imar Spaanjaars Dynamicweb Employee
Imar Spaanjaars
Posted on 20/11/2024 13:46:38
Reply

I think ExecuteScalar goes against the database directly, so this code may be open to SQL Injection attacks. You can use an overload that accepts a CommandBuildder and then use CommandBuilder.Create.

Imar

 

 
Fabio Monte
Posted on 26/11/2024 18:59:10
Reply

Thanks Imar.

I did kept the SqlCommand although getting the connectionString directly from the Database class instead of using the CreateConnection and it is working with param queries:
 

public static ResponseStatus SaveQuizResult(QuizResults quizResult)
{
    ResponseStatus responseStatus = new ResponseStatus();

    string sql = @"INSERT INTO QuizResults (UserId, Score, SuccessCount, FailCount, TimeTaken, CourseId)
           VALUES (@UserId, @Score, @SuccessCount, @FailCount, @TimeTaken, @CourseId)";

    try
    {
        using (var connection = new SqlConnection(Database.ConnectionString))
        {
            connection.Open();

            using (var command = new SqlCommand(sql, connection))
            {
                command.Parameters.Add("@UserId", SqlDbType.Int).Value = quizResult.UserId;
                command.Parameters.Add("@Score", SqlDbType.Decimal).Value = quizResult.Score;
                command.Parameters.Add("@SuccessCount", SqlDbType.Int).Value = quizResult.SuccessCount;
                command.Parameters.Add("@FailCount", SqlDbType.Int).Value = quizResult.FailCount;
                command.Parameters.Add("@TimeTaken", SqlDbType.Time).Value = quizResult.TimeTaken;
                command.Parameters.Add("@CourseId", SqlDbType.NVarChar, 255).Value = quizResult.CourseId;

                command.ExecuteNonQuery();
            }
        }

        responseStatus.HttpStatusCode = HttpStatusCode.OK;
        responseStatus.HttpStatusMessage = "Quiz result saved successfully.";
    }
    catch (Exception ex)
    {
        responseStatus.HttpStatusCode = HttpStatusCode.InternalServerError;
        responseStatus.HttpStatusMessage = ex.Message;
    }

    return responseStatus;
}
 
Imar Spaanjaars Dynamicweb Employee
Imar Spaanjaars
Posted on 28/11/2024 09:35:22
Reply

That loos good, except for this:

        responseStatus.HttpStatusMessage = ex.Message;
That leaks error info to the client which can be used by attackers. Instead you should log the true error and return a generic error message without details to the calling client.
 
Fabio Monte
Posted on 28/11/2024 16:24:55
Reply

Sure, that makes sense. I used the LogEventManager in other methods but didn't set it up in this one.

LogEventManager.Current.LogError(LogCategory.Application, ex);
 
Imar Spaanjaars Dynamicweb Employee
Imar Spaanjaars
Posted on 02/12/2024 15:06:24
Reply

So what are you returning to the calling client now?

 

You must be logged in to post in the forum