I have an API written with Laravel as back-end, I also have a front-end application (React) and mobile application (Android) to consume the API.
How can I restrict my API to only the front-end and mobile client and prevent requests from other sources like postman or insomnia ?
You could achieve so by leveraging CORS.
It stands for Cross-Origin Resource Sharing. CORS is a security feature to prevent unauthorised access.
https://www.stackhawk.com/blog/laravel-cors/
Related
I am buiding an app using svelteKit and django rest framework. SvelteKit is responsible for rendering HTML page(SSR) and django rest framework is responsible for providing restful API.
Both App server and browser will fetch my restful API. I want protect my restful api by add Authorization. After reading some documents, I plan to use OAuth2(django-oauth2-tookit) and I draw the following chart:
My auth flow chart
But I was confused by following problems:
I can use Authorization Code grant flow auth APP server, but how about the browser?
Can I separate the auth server and restful server, If so, how auth server protect restful server?
I can use Authorization Code grant flow auth APP server, but how about
the browser?
In fact the authorization code based flow is the one that is suitable & meant for web client. While using this flow server will redirect the intermediate code (oauth code) to the redirect uri passed in the request so client can capture that code and make another request to exchange it with access_token.
Can I separate the auth server and restful server, If so, how auth
server protect restful server?
Blockquote
Yes, you can. The resource server should talk to auth server to get the authentication/token object verified.
I have separate backend and frontend. However, they run on the same server (this may change in the future). The backend serves as an api and is powered by Laravel. Frontend by Nuxt (Vue).
I wish only my Nuxt application could access the api. How can I configure Laravel to only return data if the request comes from a Nuxt application?
I thought about adding a special token to requests, but the user will be able to check what request is coming out and capture the token. Can anyone give me ideas how this can be solved?
You must be knowing about CORS. So in your Laravel Server, allow requests from only the frontend server's domain like this:
Access-Control-Allow-Origin: https://www.example.com
Simplest solution would be to add serverMiddleware in the nuxt project and route all the requests to the "real" api through it. Clients will hit the internal nuxt api and they will not be able to see the actual request made to the real api. There you can also add the token you are talking about for extra layer of security.
I use token authorization in my sample api buit with django rest framework. Using web api interface I can navigate through my api. I can do any type of requests (post, put, patch, delete, option) to my api. But I don't see how to provide headers. Some of my endpoints require authorization, so even with GET request I can't access them from web api.
Is it possible to provide authentication token using django rest framework web api?
Send your requests by Postman or other http clients rather than the web UI of rest framework.
I already have configured Federation service. I have to use Web API with WS-Federation service. As Federation services use cookies to store security tokens and there is no support of Cookies in Web API. Now, how to use Web API with WS-Federation?
This link discussion will help you:
Invoking webapi throws No Access-Control-Allow-Origin header is present on the requested resource
It states that WebApi uses host's sign-in protocol.
I'm currently stuck in a situation where by I have created a ASP Web API project and deployed in separately from my main MVC application, which uses the Thinktecture identity server for federated authentication.
The problem that i'm facing has to do with the web api cors support. More specifically, i authenticate my self in the mvc application but then when it sends requests to the web api i get the following error:
XMLHttpRequest cannot load XXX. The request was redirected to 'https://localhost/idsrv/issue/wsfed?wa=wsignin1.0&wtrealm=http%3a%2f%2floca…assive%2..., which is disallowed for cross-origin requests that require preflight.
The error makes sense, because the request doesn't contain the Http headers that are needed by the WSFederationAuthenticatioModule to verify that i'm already logged on.
Is there any possible workaround that I'm not aware of?
As far as I see you have 3 issues here:
1. How to enable WIF authentication with the Web API.
For this you should use Thinktecture.IdentityModel.45 (or the one for MVC 5 - Thinktecture.IdentityModel) that exists as a NuGet package. See the sample here: Web Api security sample
After that you'll have to send the token in a security header in the Ajax request.
If your MVC site and your Web Api are not on the same domain then you'll have to handle CORS issues
For issues 2 & 3 see: Dog fooding our api authentication
This Should also give you a good idea of how to use the security token received in your MVC site to authenticate with your Web API.