I have REST service requirements in which some calls require authentication and some don’t. Absolutely no state is used, as the calls are all independent from one another. I have put something together which seems to work, but is this the right way to go about not using sessions?

This question is kind of related to my WCF question which is answered here.

Firstly I registered the authentication method:

        Plugins.Add(new AuthFeature(() => new AuthUserSession(),
                                    new IAuthProvider[] {
                                        new CustomCredentialsAuthProvider(), //HTML Form post of UserName/Password credentials
                                    }
                        ));

I then attribute the respective calls (or service or DTO) with the Authenticate attribute:

[Authenticate]
public HelloResponse Post(Hello request)
{
    return new HelloResponse { Result = "Hello, " + request.Name  + " with POST & Auth"};
}

I inherit from the BasicAuthProvider class which does the authentication:

public class CustomCredentialsAuthProvider : BasicAuthProvider
{
    public override bool TryAuthenticate(IServiceBase authService, string userName, string password)
    {
        return userName == "dylan" && password == "abc123";
    }

    public override void OnAuthenticated(IServiceBase authService, IAuthSession session, IOAuthTokens tokens, Dictionary<string, string> authInfo)
    {
        session.IsAuthenticated = true;

        //Important: You need to save the session!
         authService.SaveSession(session, new TimeSpan(0,0,10)); 
    }
}

As you can see, I do save the session but it times out after 10 seconds. This is the part that I’m sure can potentially be done better. It seems to work nicely though.

Is there a better way of doing what I’m trying to accomplish?
Is there also any way, due to the sessionless nature of these services, to remove the Auth, AssignRoles and UnassignRoles methods?