Laravel 5.4: how to secure api routes
I have an app that fetch data from laravel api defined like this in routes /api.php:
// this is default route provided by laravel out of the box
Route::middleware('auth:api')->get('/user', function (Request $request) {
return $request->user();
});
// ItemController provides an index methods that list items with json
Route::resource('items', 'Api\ItemController', array('except' => array('create','edit')));
// this is to store new users
Route::resource('users', 'Api\UserController', array('only' => array('store')));
for example http://example.com/api/items returns data as intended, but it is really insecure as anyone can access it through the postman.
How do I make these routes only available inside the app?
Since I'm new to this, I don't understand if I need to configure the api_token and how?
Do I need to customize my passport?
Is it related to auth: api facility?
It may sound very simple, but any usage advice or tutorial would be greatly appreciated
EDIT
End the classic auth session. Moved routes inside web.php. Pass the csrf token in the ajax request. I don't really need a RESTful API. You only need a token when your API is statusless.
source to share
Since you are using Laravel 5.4 you can use Passport, but I haven't implemented it yet, but I have implemented lucadegasperi/oauth2-server-laravel
for one of my laravel projects and was developed in Laravel 5.1
Here is a link to the lucadegasperi / oauth2-server-laravel github repository
Here is a link to the documentation Exclusive documentation
Just add the package to composer json and run composer update, the package will be installed in your application, after installation add the vendor array class and alias array class as mentioned in the Laravel 5 installation part.
you need to do a little tweak to perfectly debug the array csrf
from $middleware
and insert it into the array $routeMiddleware
and run again php artisan vendor:publish
after posting the migration changes and running the migrationphp artisan migrate
if you only want to secure the api routes for each client like ios, android and web, you can implement the Credentials grant for the clients, or if you need every user to be able to use the authorization server with a password grant or other.
Never use a client id or other credentials when generating an access token on a form, but add it somewhere in the helper and attach it in the request to the api,
Hope this answer helps you.
source to share
You can use JWT , which is pretty easy to get it to work. You basically generate a token by asking for Username / Password and passing that token on every request that requires authentication, your url will look like http://example.com/api/items?token=SOME-TOKEN . without a proper token, it doesn't have access to that endpoint.
Concerning
How do I make these routes only available inside the app?
If you only mean your application that can use these queries, you can't. Basically the API doesn't know who is sending these requests, it can only check if you are giving what you are giving and proceed with it if everything is ok. I suggest you take a look at this question
source to share