I am currently working on a Vue JS + Vuetify + Axios + Laravel architecture where I am making a dashboard. Currently I am working on the user profile where they can upload a picture for their avatar but also can upload their business licence (via a different uploader).
User need to be able to modify update those documents later on.
What is the best strategy to implement this requirement nicely and with proper security ?
Store the files in a private area of Laravel or a public one after renaming it with a random + user name?
Store the file as a blob in mysql directly and retrieving ?
Store the path of the file in mysql only while storing the file in a public/private folder under Laravel tree ?
For authentication I plan to use jwt and websanova.
Where you store the avatar depends on where it needs to be displayed. Will it be shown only to that user? Other logged in users? Non-authenticated users?
Regarding the user's business licence, I would store that in a folder that's not publicly accessible and access it via an API endpoint. This way you can implement the necessary security rules via your Laravel controller.
Generally speaking, I'd avoid storing files in a DB. You're bloating the size of the DB, which impacts on doing backups/restores, among other things. Having files stored on the file system also makes it easier to move to cloud storage (such as Amazon S3) at some point, if you need to scale your app.
Related
I am trying to make an ecommerce project with react and django for college and i am trying to make it as real as possible and i am confused where to store user's data like id,token and cart data, etc..
i tried to use local storage but i've seen articles saying it is not safe and vulnerable to cross-site scripting attacks
so where should i store data ? is it on the frontend or backend ?
I am working on an app that has some social network elements: users can create posts with images and they can share these publicly or with friends.
I am now considering the security aspect of this. These images should only be available to the person that uploaded them and the people they select to view them.
From the posts I have seen it seems that one of the recommended ways is to expose an API endpoint through my backend service to control access through it (this way I can check a user's permissions) and then return the requested image but I feel that serving images this way would be quite expensive.
Are there any other approaches that do not sacrifice security but achieve a good performance?
In case it matters, I am using Spring Boot for my backend, Expo + React Native for my app and I am planning to store the images on AWS S3
It turns out S3 on AWS allows access to files through signed URLs, which means only people with the given signed URL can access the file. This signed URL can be further restricted by specifying the duration for which the signed URL will be valid.
Generating these URLs can be done by the back-end service without reaching out to AWS, so that does not create a big performance hit.
I am using laravel to build an app in BigCommerce. I am able to get access token but I need to store that for future requests. What is the best possible way to store the app data for BigCommerce?
I've got this working by creating a DB schema in Laravel where in there are tables like stores, users, app_settings.
Whenever the user installs an app, I am storing an access token and other information like store hash in stores table and user details in users table.
Whenever the app is loaded I could get the store and user information via verify signed request payload. Using this I am able to configure my app settings for the user and store those in app settings table.
So when I create a Webhook for the store, I could get the store hash from response as producer key and accordingly I can find the access token for the store using store hash in stores table.
If you're git ignoring your config.json or .env files, you could store these there. However after speaking with one of our Developer Advocates, I wanted to pass along some best practice advice. :) You may want to consider using a secrets manager for option #1 in your decision here. A secrets manager meaning a tool to safely store these variables like Secrets in Github or Key Vault in Azure.
Also, this resource may be helpful to review for your use case. https://www.codementor.io/#ccornutt/keeping-credentials-secure-in-php-kvcbrk55z
I have a Laravel application that stores profile images of the users. Currently I store these in the public folder. And I have a HTML & JavaScript for the frontend. The frontend simply uses tag to link to the profile images. I moved the images to the storage folder and created an API to access them. The API requires JWT so that only logged in users can access the images. But the problem now is that I'm passing the token with the API. Isn't there a better way to let only logged in users access the images and where I can simply use tag without passing JWT?
I want to protect my images from outside access, yet be able to simply have a link to access them with tag only for logged in users.
We have a Firebase database connected with an APP which we want to convert to a website now. Laravel is nice frame work but unfortunately unable to sync the existing database to show up on the website as is. End goal is that any changes through an APP should reflect on the website and vice versa. Existing database include the product price, picture, ability for users to message each other , user authentication. In essence it is almost a complete market place.
If you want to use data from the Firebase Realtime Database in a web app/site, consider simply using its JavaScript SDK in your web application.
Doing so allows you app to directly read data from the database, instead of having to set up a web server in Laravel.
To ensure that your users only get access to data they're authorized for, you'll want to use Firebase's security rules. These are enforced on the Firebase server, so once you configure them correctly, there's no way for anyone to bypass them.