I have a Laravel application that stores profile images of the users. Currently I store these in the public folder. And I have a HTML & JavaScript for the frontend. The frontend simply uses tag to link to the profile images. I moved the images to the storage folder and created an API to access them. The API requires JWT so that only logged in users can access the images. But the problem now is that I'm passing the token with the API. Isn't there a better way to let only logged in users access the images and where I can simply use tag without passing JWT?
I want to protect my images from outside access, yet be able to simply have a link to access them with tag only for logged in users.
Related
I'm looking at bringing over a feature from a previous MVC site that serves files based on our own simple custom authentication service.
Authenticated users (who simply have a authentication cookie saved) are able to download 'secure' files, served through a controller which checks their credentials and returns an unsecure media library link with content disposition set to 'attachment'. This is functional, but the media library files remain unprotected if users know the urls for the files.
Is it possible to use the secure media libraries for our purposes in such a scenario? Our users won't have distinct user rolls in the Kentico system; is it possible to spoof user rolls in the MVC app when we return urls from our controller?
this process takes so much of time. I don't know how long it might take to solve the issues
I have created an application with Laravel 7 that contains users that can log in.
In parallel, I create a showcase site for the application (another domain) and essentially html/css.
I would like on this showcase site to propose login and registration buttons if there is no user connected to the laravel.Otherwise I would just like to propose a "Dashboard" button if a user is connected to the Laravel application.
How to do that? I confess that I'm a bit lost. Thanks for your help.
You need to create an API on the laravel app which will be used by the "showcase site".
To login and authorize themselves you can use JWT
to keep user data and use it on the showcase site you can either save them in
localstorage (just be careful not to save any sensitive data there as people can take that information in case of XSS vulnerable)
indexdb
cookies
None of these methods are safe. They can be exploited using XSS so i advice on using JWT to secure sensitive data.
I am currently working on a Vue JS + Vuetify + Axios + Laravel architecture where I am making a dashboard. Currently I am working on the user profile where they can upload a picture for their avatar but also can upload their business licence (via a different uploader).
User need to be able to modify update those documents later on.
What is the best strategy to implement this requirement nicely and with proper security ?
Store the files in a private area of Laravel or a public one after renaming it with a random + user name?
Store the file as a blob in mysql directly and retrieving ?
Store the path of the file in mysql only while storing the file in a public/private folder under Laravel tree ?
For authentication I plan to use jwt and websanova.
Where you store the avatar depends on where it needs to be displayed. Will it be shown only to that user? Other logged in users? Non-authenticated users?
Regarding the user's business licence, I would store that in a folder that's not publicly accessible and access it via an API endpoint. This way you can implement the necessary security rules via your Laravel controller.
Generally speaking, I'd avoid storing files in a DB. You're bloating the size of the DB, which impacts on doing backups/restores, among other things. Having files stored on the file system also makes it easier to move to cloud storage (such as Amazon S3) at some point, if you need to scale your app.
I have a Laravel API that generates a pdf. I am using laravel passport for the pdf. I want to stream the pdf in the browser not download it. I currently generate a pdf but it is open to the world, anybody would be able to to access the pdf. I want to add authentication for it. A user should be able to see his/her pdfs generated by my app and not any other user's pdfs.
My idea so far is to generate a personal access token for the user and pass it via the url.
Is this a good idea? Any other ideas I should consider on how to accomplish this?
Use laravel authentication to stop unauthorized access to routes, here is the documentation how you can do that,
https://laravel.com/docs/5.6/authentication
I need to have inner pages of an app shared to facebook with the right Opengraph data but i'm presuming when a facebook scraper/robot tries to access a certain secured url by JWT-tokens (tymon's), it lands to the sign-in page instead and picks the OG data from there.
I'd rather need to allow access to facebook scraper to bypass login and reach the page to get the certain info on that page?