Laravel 5.4: how to protect api routes

4
votes

I have a react app that fetch datas from laravel api defined like so in routes/api.php:

// this is default route provided by laravel out of the box
Route::middleware('auth:api')->get('/user', function (Request $request) {
            return $request->user();
        });

// ItemController provides an index methods that list items with json
Route::resource('items', 'Api\ItemController', array('except' => array('create','edit')));

// this is to store new users
Route::resource('users', 'Api\UserController', array('only' => array('store')));

for example http://example.com/api/items returns the data as intended but it's really insecure since anyone could access it through postman.

How to make those routes only accessible inside the app?

As I'm new to it I don't understand if I need to set up api_token and how?

Do I need to setup Passport?

Is is related to auth:api middleware?

It may sounds really basic but any help or tutorial suggestions would be greatly appreciated

EDIT

End up with a classic session auth. Moved routes inside web.php. Pass csrf token in ajax request. Actually i didn't need a RESTful API. You only need token auth when your API is stateless.

2
laravel
use laravel passport and create a client then use Bearer $token in header for each request and passport middleware will handle it for protection - msonowal
thanks, but how do you retrieve the token from your personal client? - sebap
@msonowal That's the best way. Can you add an answer how to do that - Ravi_R

2 Answers

0
votes

As you are using Laravel 5.4 you can use Passport, but I haven't implemented yet, but i implemented lucadegasperi/oauth2-server-laravel for one of my laravel projects and it was developed in Laravel 5.1

Here is the link to github repository lucadegasperi/oauth2-server-laravel

Here is the link to the documentation Exrensive Documentation

Just add the package to the composer json and run composer update,the package will get installed to your application , once installed add the providers array class and aliases array class as mentioned in the Laravel 5 installation part of the documentation,

you have to do a small tweak in order to work perfectly cut csrf from $middleware array and paste it into $routeMiddleware array and again run php artisan vendor:publish after publishing the migrations will be created and run the migration php artisan migrate

if you only want to secure api routes for each client like ios, android and web you can implement Client Credentials Grant, or if you need to every user with oauth the you can implement Authorization Server with the Password Grant or some other.,

Never use the client id or other credentials, generating access token in the form, but add it some where in helper and attach it in the request to the api,

Hope this answer helps you.

0
votes

You could use JWT it's pretty easy to get it to work. You basically generate a token by requesting Username/Password and passing that token in every request that requires authentication, your URL would look like http://example.com/api/items?token=SOME-TOKEN. without a proper token, he doesn't have access do this endpoint.

As for

How to make those routes only accessible inside the app?

If you mean only your app can use these requests, you can't. Basically the API doesn't know who is sending these requests, he can only check if what you are giving is correct and proceed with it if everything is in order. I'd suggest you to have a look at this question