Site API Http-functions with User Authentication

I am wanting to expose an API function to interface with my .NET app that will allow users to request data based on whether their credentials are correct. I wanted to authenticate a user by checking their user and password in the GET request before allowing anything to be sent back.

My original thought was to store username and password (encrypted) combinations in a separate data collection that I can access with wix-data but I can’t imagine this would even be considered a safe way of doing so regardless of the encryption, I’d like to stay away from storing passwords elsewhere if possible.

I’m thinking now that I could use the wix-users-backend login function and depending on if it is successful return said data. The only issue with this is I’m not sure if the function would return an error if the user is already logged in.

I can’t just use a hardcoded token to authenticate all users since the data sent back will be user specific and nobody should be able to access it unless they are logged in anyway.

I’m wanting to get some opinions on this before I go ahead programming it just in case there’s better ways. Should I be using wix-users-backend or is there something better I can use? Thanks.

Maybe this one can help (?):

https://www.wix.com/corvid/reference/wix-users-backend/login

Yeah I took a look at that, I think the main thing I’m concerned about is if the catch error block will run if a user is already logged in. Would this be a viable option of testing usernames and passwords despite their login status?

@jacobhothersall I guess it’ll be OK because it’ll create a new session, but I’m not sure. If you test it, please let us know.

@jonatandor35 Ok I’ll post back here when I get the time to put this in place. Thanks again.

Okay, just tested it and it all seems to be working great. No matter how much I spam the request it doesn’t seem to be causing any issues. Brilliant!