Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 3 years ago.
Improve this question
My spring boot app almost done and one more problem left. I need to implement security part. I wanna make acces to api only by key that will come with request. in URL string, message body or header.It doesnt meter now. I found a lot of different ways, but they use login:password pair, it doesnt interesting for me. Each message have to contain KEY.
It should look like
URL String (Get method)
https://api.domen.com/news/today?key='somekey'&'some filters'
Body (Post method)
https://api.domen.com/news/today?'some filters'
{
"key": "somekey",
...
}
Is there suggestion how use only key and verify it?
I would include the token on HTTP Authorization header with the Bearer schema (instead that using a parameter), it is a good practise
POST /news/today?p=1 HTTP/1.1
Authorization: Bearer 123456
If you want to rely on JTW (again a standard practise) you need to verify the incoming token, this is an example using jsonwebtoken library
Claims claims = Jwts.parser()
.setSigningKey(DatatypeConverter.parseBase64Binary("SECRET"))
.parseClaimsJws(jwt).getBody();
String subject = claims.getBody().getSubject(); // subject in the token
Date date = claims.getBody().getExpiration(); // expiration of the token
This example above assumes that the token (set on the HTTP header) has been signed using the same key "SECRET"
//We will sign our JWT with our ApiKey secret
byte[] apiKeySecretBytes = DatatypeConverter.parseBase64Binary("SECRET");
Key signingKey = new SecretKeySpec(apiKeySecretBytes, signatureAlgorithm.getJcaName());
//Let's set the JWT Claims
JwtBuilder builder = Jwts.builder().setId(id)
.setIssuedAt(now)
.setSubject("subj")
.setIssuer("issuer")
.signWith(signatureAlgorithm, signingKey);
Here is a good reference https://developer.okta.com/blog/2018/10/31/jwts-with-java
Related
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 2 years ago.
Improve this question
I can generate user access when I log in or Register a User
I want to be able to use the token later in API
I have questions
Is it safe to store user access token in the database after creation
How do I retrieve access token after creation
I tried this
public function showprofile(Request $request)
{
$user = new UserResource(User::find($request->id));
$token = $user->token();
dd($token);
// return response ($user);
}
It returned null, I have checked oauth access token table, the user id I am sending is present.
Thanks.
1) yes, this is no problem. In fact, if you're using Laravel Passport, it will be done automatically. Passport's default migrations will make sure it's stored in a safe way. You can optionally publish the migrations yourself to adjust them if needed:
php artisan vendor:publish --tag=passport-migrations
2) If you've added the HasApiTokens trait to your user model. You'll be able to access the token like this:
$user->token()
Or if you need all tokens $user->tokens(). More info can be found in the passport documentation.
Update
You're trying to access the token on the UserResource. This doesn't contain the token(). Try to access the token before creating the resource like this:
public function showprofile(Request $request)
{
$user = User::find($request->id);
$token = $user->token();
$user = new UserResource($user);
dd($token);
// return response ($user);
}
Also, I'd recommend you to use Route Model Binding. This will make your controller much cleaner since you don't need to look up the model yourself, Laravel will do this automatically for you.
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 3 years ago.
Improve this question
I was wondering of what could be the advantages or disadvantages of using slug instead of id when looking for a model or for urls.
Because there is a possibility to bind directly the url so that in the web.php file, this url /users/{user} will become the following:
with id:
domain.com/users/1
or with slug:
domain.com/users/IQii33XAQhldEK
Thanks
IQii33XAQhldEK is not a slug, a slug would be domain.com/users/patrissol-kenfack.
In the case of the slug, the 2 benefits are:
Better readability for humans,
Better for SEO, because Google will see the keywords in the URL.
If you use id in the url, it could mean that users would be able to know what the id of the resource they are viewing are. Usually, this won't be much of an issue, but if proper security practices are not followed, users could modify resources using this id by passing it implicitly (So make sure to use $fillable or $guarded) . For example, a malicious user could simply put a
<input type="text" name="id" value="<the-id-of-any-other-resource>"
And if you insert or update models with $request->all(), it could end up modifying the id of that resource.
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 5 years ago.
Improve this question
I am making a website using laravel. I have a search page where users can search for products and a SearchController which does the actual searching.
Right now, I am passing the form data to the controller with a post method (search string, filters, etc.), it works brilliantly!
However, I see that almost every website passes the search parameters in the URI using a query string. Why is tht better? Should I be doing the same?
Thanks!
It's good to keep query parameters in uri for SEO purpose. If you use post method, when you refresh page you won't get data. If you use get method, even page is refreshed you will get data. If you pass query in uri, you can directly get the data by accessing that url.
The search parameter in URL is helpful when the user wants to search more item related to that without refreshing the page. You can do it by ajax and php.
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 9 years ago.
Improve this question
I'm in need to support batch request in my RESTful services, in which the user sends a single request (http request) but that request issues multiple REST requests. However I don't know if there is any best practice for this.
Server-technology: Spring Web MVC.
Add an rest resource that represent your command queue.
Every command that gets added to this queue gets executed by the server.
Then add an PUT handler for this queue that accept a single command an put it in this queue.
This PUT handler could for example accept someting like this
{
"commandType" : "x"
"parameter" : {...}
}
then enhance the PUT handler so that is also accept a list of this commands:
{ "batch" :
[
{
"commandType" : "x"
"parameter" : {...}
}
{
"commandType" : "y"
"parameter" : {...}
}
]
}
This is not very nice, but it should work.
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 8 years ago.
Improve this question
Can someone help me in getting more information about
BasicHttpEntityEnclosingRequest(String method, String uri).
This did not help me understand the said topic.
What are you trying to do with BasicHttpEntityEnclosingRequest? An entity in httpcomponents refers to the body or the payload of the request.
You should be using sub classes of HttpEntityEnclosingRequestBase that is HttpPut, HttpPost or HttpPatch when sending a HTTP request that has a body.
http://hc.apache.org/httpcomponents-client-ga/httpclient/apidocs/org/apache/http/client/methods/HttpEntityEnclosingRequestBase.html
You should read the HttpClient Tutorial, particularly chapter 1 to get you started.