Only allow access of api through Api gateway and prevent accessing laravel api routes directly - laravel

I have a laravel api app where we can access the api via http://mydomain/api/v1/categories. I have also implemented kong api gateway to access those api. How to restrict the accessing of api through laravel api routes and allow only through kong api gateway.
For eg. Accessing http://mydomain/api/v1/categories which is laravel route should return 404 but `http://kongdomain/service1/v1/categories should return the response.
This will prevent access of API endpoint which i cannot track and everything passes through Kong API gateway.

Add required parameter accessKey=examplekey in your api request, And then you can access your laravel api with this examplekey.

Related

Secure laravel api

I have implemented api with laravel
I use passport for authentication
I need to allow only my apk to request this api
Can any one help me with an idea
I use https but is there any other secure method
You need to create a passport client. Any other requests to your API other than from the approved client, will be rejected by the API.
You can find information to setup a client on this link

Can AWS LAMBDA Web API authenticate by middleware if you send jwt token in the header

I have a .net core 3.1 web api authenticated by jwt in the middle ware pipline.Works fine. I converted the web api to a lambda web api by adding a aws Lambda entry class and published into aws with an API Gateway in front
All the endpoints without Authorization attribute worked fine.
All the endpoints with Authorization attribute gets 401.
All request has a jwt Authorization Bearer token header
One endpoint without Authorization attribute reponses with all the headers converted to a string.From that i can see the request's jwt is getting thru to the endpoint.
1.Why isnt the endpoint giving me 401 even tho there is a token?
2.Does AWS lambda or the API getway not pass the header direstly?
3.Do I need to configure the api geteway to send the header to the lamdbda endpoint?
4.Can Lambda authenticate by pipline like a normal web api?
Another solution was to use authorization Lambda with the API GETWAY.
If I use authorization Lambda does that mean my end point wont need the authorization attriibutes any more because it done in the getway?
JWT is generated and authenticated by Firebase.
It works I finally figured the reason. Its so awesome you can have Web api as a Lambda in aws. I can now spend less money in AWS.

Question about Cloudfront access API Gateway

My frontend code is deployed in Cloudfront and tries to access Lambda through API Gateway. However, the API Gateway is authenticated with AWS_IAM which means it seems that frontend cannot access it directly. So I wonder if there are any methods I can access API Gateway like for example use Cognito to act as an authorizer or something else?
I have used the this aws blog, which show how to use API keys between an Amazon CloudFront distribution and API Gateway to secure access to your API in API Gateway in addition to your preferred authorization (AuthZ) mechanism already set up in API Gateway.

Disable a Route with Kong API Gateway

We have a service pointing to the backend in the Kong API Gateway. And each service has multiple routes associated with it.
I would like to disable/enable individual Routes in Production. Looking at the Admin API documentation, 'Update Route' API does not have any property to disable/enable the route.
Received an answer on konghq:
https://discuss.konghq.com/t/disable-a-route-with-kong-api-gateway/3735/2

Authorization Policies/Gates for Laravel 5.3 web app consuming own API w/ Passport

Using Laravel 5.3 I've set up a web app that consumes its own API. Authentication successfully handled by Passport. Web app uses auth middleware in routes and Model Policies for authorization. API routing uses default 'auth:api' token guard to control access.
I would like to use the same Policies in app/Policies for API authorization as well as the web auth, but I don't understand how. Calls such as $this->authorize('view', $model) do not work. I guess I need to pass the user from Auth::guard('api')->user() to the Policies somehow?
Any help would be appreciated!
Update: Got it working.
Seems that even for the API calls Laravel was still using the user from the web guard to check against policies. This user is undefined for API calls. So I needed to tell Laravel that all API calls should use the api guard.
Create a new middleware with Auth::shouldUse('api'); in the handle function.
Assign the middleware to the api section in the kernel.
Laravel will now use the api guard for all API requests. Calls like $this->authorize('view', $model) will work in both web and api.
Update: Got it working.
Seems that even for the API calls Laravel was still using the user from the web guard to check against policies. This user is undefined for API calls. So I needed to tell Laravel that all API calls should use the api guard.
Create a new middleware with Auth::shouldUse('api'); in the handle function.
Assign the middleware to the api section in the kernel.
Laravel will now use the api guard for all API requests. Calls like $this->authorize('view', $model) will work in both web and api.
Just use auth:api middleware for routes with Policies

Resources