We have passport authenticated Laravel endpoint. We want to give a seperate application from our main one the ability to call this specific endpoint without needing a user login, we also want to be able to identify the client. So for example two seperate client apps make an unauthenticated call to the endpoint and we could tell them apart by some means.
We've tried messing with custom guard & service providers, I'm under the impression passport makes it tricky to do what we want here.
We could just duplicate the endpoint and make one unauthenticated, I guess it's just tricky to understand how to structure things here to do what we want.
Related
I'm using Password Grant flow in my Laravel api but i find that the tokens generated to the user may be abused.
I have the api running in a domain and a web app in another domain consuming it. I want to make sure that even if someone copy the token from the Localstorage inside my app, it will be useless outside of my consuming domain.
The only solution i find to this problem is by checking the domain with a middleware or inside the Api methods. Is there any secure way to do this? Should i use middlewares as i just mentioned?
To be honest, I don't think there is a way that you can prevent this.
I assume that the web app is using clientside code to get your API, and so the IP address will always be the clients, and so you cannot limit your API to specific IPs.
Additionally, the calling domain is useless as you could fake this in postman or any other API sending tool.
This is a fight you won't easily win.
I'd ask the question of what ways can a user really abuse my API. If they want to use their token to perform actions on their account inside your application, then what does it matter if this happens within your application or outside of it?
How can they abuse your platform if they have the token? If there are ways to abuse it then you are better treating the root cause that allows the abuse to take place, rather than trying to limit how the token can be used.
I Guys, i have to create a mobile app that need to make a request to a laravel endpoint, app no require registration or login, which is the best way to protect my api? To make sure the only my application can call it?
Thanks!
There's no full proof method of securing your api, because with the right tools and following some tutorials on the web, anyone could view your whole api request, headers, tokens, etc.
Anything you do or store on the app is already compromised, so signatures,ssl, encryption,tokens, etc are not that helpful if malicious users have access to the app. It can make it more troublesome for malicious users, but a dedicated one could overcome it.
Using authentication atleast forces users to register before they can use your api and you can block the user when needed. Along with requiring email verification, users who wish to misuse your api would then need valid email addresses atleast. But since you mention securing without authentication, this goes out of scope.
You can secure your api somewhat by using rate limiting. laravel has an inbuilt rate limiting with the throttle middleware. You can use this to restrict the number of times an api can be called in a particular time interval by an ip address.
Next would be Ip blocking. If any malicious activity is found, you could block the ip address. But this can be overcome with a vpn, and a malicious user could also block someone elses ip in this manner.
Captcha can help against bots, but would also annoy regular users.
Another method would be restriction with cors, those who have faced cors issues know exactly how annoying it can be, but it wont work on native apps (or you could try pwa).
And in a worse case scenario you could go with some terms and conditions and some legal action
A simple solution You can create a table for devices with api key which will be generated for each device app, and always use it to send requests to the api end point, then used it to fetch data from the rest api. The same process like if you are loging in, but you will use the api key unstead and the key will be fixe not refreshed evrey time.
I am new to laravel and creating a REST API. The client of the API will be mobile app only. There is no front end view to be shown in browser. I have created the routes and the controllers to handle API requests. Furthermore I deleted the Users table (created by laravel) because I do not need an Web interface etc.
I just want simple token based authentication at this stage ( I am aware there is passport authentication) but I can not even understand that at this stage.
There is only one table in the project.
Candidates
(id (PK), name, phone, details)
mobile app users are candidates also, should I create a token column in this table ? and manually create token at the time of register API and return it back as response ?
Please any simple guide or directions will help, I have search quite a bit online and there seems to be quite a lot many topics that show up such as guards, providers, passport which I am struggling to get.
Thanks,
Elliot.
First of all, you didn’t need to delete the users table. You can use it for api auth too. You just need to create a seperate token table.
However, if you want to implementit manually you need to do a lot of things manually.
This is a huge thing to impelement manually and it's not possible to describe it in a single answer. I will try my best to explain it as simply as I can.
You have to create a authentication system yourself that is for login. Define a middleware to check the authorization of the token sent from client to check the validity of every request (this is the guard part).
Also keep track of the token expiry time. Refreshing the token after each expiry needs to be done too (this is the provider part).
Now there are a lot things inside. Like keeping track of the device the request is coming from, providing different tokens for differenet devices for a single user etc.
If you are into learning how everything works then you can try to build one yourself. But if you plan on deploying it to a professional website, I would suggest try to get accustomed with passport. Reinventing the wheel is really not necessary. I hope it gives you a basic idea. If you have any more questions feel free to comment.
I'm using the Expo Facebook login on my React Native app. In my app they can create and join events, which is done via API calls to my Laravel backend. I need these API calls to be authenticated (so some random person can't submit requests on someone else's behalf), but I don't want them to have to login twice. How can I ensure the person making API calls is who they say they are?
When they auth with Facebook they get their unique Facebook user ID, but I'm not sure if that is a secret they would only know after authenticating with FB or if anyone could get it. For my alpha version it's just sending their FB user ID with the request to ensure it's coming from the right person, but that seems really insecure because if anyone gets that ID they can forge requests.
One idea I had was to pass the auth token the React Native app got from Facebook to my API, and then on my server use that auth token to ensure it's really them. That just seems sort of complicated and it's hard to find a package that helps facilitate this, though.
It seems like this has to be a common problem. Any resources on how other apps handle this? Tinder, for example, must have this same problem.
My backend and frontend are totally separated. One using Laravel 5.3 the other using VueJS 2.
My frontend doesn't need to authenticate users (public website). However my backend should be able to recognize that the API calls are being sent from my frontend and not some other client/frontend.
I know how to do this manually, but I would like to know if it's possible to do this out of the box with the Dingo package and also that the hostname or whatever way the API calls are being approved can't be spoofed by others?
You can add a custom element, like the csrf_field(), to all of your forms. If you have that element...then it's coming from you.
edit: Or json web tokens, but that's a bit more work.