Controllers in ASP.NET Core Web API

Introduction

Controllers in ASP.NET Core Web API is essential for ASP.NET Core MVC developers building ShopNest.API — Toolliyo's 100-article enterprise learning platform covering products, orders, cart, payments, dashboard, and audit logs. Whether you target campus drives at TCS, Infosys, or Wipro, or build admin portals at product companies, this lesson delivers production-grade MVC depth.

In Indian delivery projects, teams lose sprints when juniors skip controllers fundamentals — fat controllers, missing anti-forgery tokens, or domain entities leaked to Razor views. This article prevents that class of failure on Product API.

After this article you will

• Explain Controllers in plain English and in technical REST API terms
• Implement controllers in ShopNest.API (Product API)
• Compare the wrong approach vs the production-ready enterprise approach
• Answer fresher and mid-level Web API interview questions confidently
• Connect this lesson to Article 6 and the 100-article Web API roadmap

Prerequisites

• Software: .NET 8 SDK, VS 2022 or VS Code, SQL Server Express / LocalDB
• Knowledge: C# basics
• Previous: Article 4 — ASP.NET Core Web API Introduction — Complete Guide
• Time: 22 min reading + 30–45 min hands-on

Concept deep-dive

Level 1 — Analogy

Controllers are reception desks — they receive visitor requests, call the right department (service/model), and hand back the answer (view).

Level 2 — Technical

Controllers integrates with the ASP.NET Core Web API pipeline: register services in Program.cs, handle JSON requests in API controllers, return DTOs with correct HTTP status codes. On ShopNest.API this powers Product API without coupling UI to database internals.

Level 3 — Architecture

[Browser] → [HTTPS/Kestrel] → [Middleware Pipeline]
  → [Routing] → [Controller Action] → [Service Layer]
  → [EF Core / Identity] → [Razor View Engine] → [HTML Response]

Project structure

ShopNest.API/
├── Controllers/       ← HTTP request handlers
├── Models/            ← Domain entities + ViewModels
├── Views/             ← Razor .cshtml templates
├── Services/          ← Business logic (DI)
├── Data/              ← DbContext, migrations
├── Areas/Admin/       ← Admin module (Article 9+)
├── wwwroot/           ← CSS, JS, Bootstrap
└── Program.cs         ← DI + middleware pipeline

Hands-on — ShopNest.API (Product API)

Step 1 — The wrong way

// ❌ BAD — fat controller, no ViewModel, sync DB call
public IActionResult Index()
{
    return _context.Products.Find(id); // sync, exposes entity, no auth
}

Step 2 — The right way

// ✅ CORRECT — Controllers on ShopNest (Product API)
public async Task> Get(int id, CancellationToken ct)
{
    var dto = await _productService.GetDtoAsync(id, ct);
    return dto is null ? NotFound() : Ok(dto);
}

Step 3 — Apply Controllers

public class ProductsController : Controller
{
    private readonly IProductService _svc;
    public ProductsController(IProductService svc) => _svc = svc;
    public async Task<IActionResult> Index() => View(await _svc.GetAllAsync());
}

dotnet build
dotnet run --project ShopNest.API
# Verify in browser at https://localhost:5xxx

Common errors & fixes

🔴 Mistake 1: Fat controllers with EF Core queries inline
✅ Fix: Move data access to services/repositories; keep controllers thin.

🔴 Mistake 2: Returning domain entities as JSON responses
✅ Fix: Map entities to DTOs to prevent over-posting and data leaks.

🔴 Mistake 3: Returning domain entities directly as JSON from API
✅ Fix: Use DTOs and AutoMapper — prevents over-posting and hides internal fields.

🔴 Mistake 4: Hard-coding connection strings in controllers
✅ Fix: Use appsettings.json + User Secrets locally; Azure Key Vault in production.

Best practices

• 🟢 Use async/await end-to-end for database and I/O calls
• 🟢 Register DbContext as Scoped; avoid capturing it in singletons
• 🟡 Use DTOs — never return EF entities directly from API endpoints
• 🟡 Validate all input with Data Annotations or FluentValidation on DTOs
• 🔴 Log structured data with Serilog — include OrderId, UserId, not passwords
• 🔴 Use HTTPS, secure cookies, and authorization policies in production

Interview questions

Fresher level

Q1: What is Controllers in ASP.NET Core MVC?
A: Controllers is a core MVC capability used in ShopNest.API for Product API. Explain in one sentence, then describe controller/view/service placement.

Q2: How would you implement Controllers on a TCS-style delivery project?
A: Thin controllers, ViewModels, async EF Core, DI in Program.cs, Bootstrap 5 admin UI, and unit tests for services.

Q3: REST vs GraphQL vs gRPC — when to use which?
A: REST for CRUD and mobile/SPA backends; GraphQL for flexible client queries; gRPC for internal high-performance service calls.

Mid / senior level

Q4: Explain the Web API request lifecycle briefly.
A: Client → Kestrel → Middleware → Routing → API controller → Service/Repository → EF Core → DTO → JSON response.

Q5: Common production mistake with this topic?
A: Skipping validation, exposing secrets in Git, or untested edge cases (null model, unauthorized user).

Q6: .NET 8/9 vs .NET Framework for Web API?
A: Core is cross-platform, faster, cloud-ready; Framework is maintenance mode on Windows/IIS.

Coding round

Write a LINQ query: top 3 customers by total order value on ShopNest orders.

var top = await _context.Orders
    .GroupBy(o => o.CustomerId)
    .Select(g => new { CustomerId = g.Key, Total = g.Sum(o => o.GrandTotal) })
    .OrderByDescending(x => x.Total).Take(3).ToListAsync();

Summary & next steps

• Article 5: Controllers in ASP.NET Core Web API
• Module: Module 1: Web API Fundamentals · Level: BEGINNER
• Applied to ShopNest.API — Product API

Previous: ASP.NET Core Web API Introduction — Complete Guide
Next: Routing in ASP.NET Core Web API

Practice: Add one small feature using today's pattern — commit with feat(api): article-05.

FAQ