Is there a way to protect some API routes in Laravel without user authentication?

0
votes

In my Laravel project I am storing data about events and return them to a website,this website is the event's website where place reservations can be made. Every event has it's own website.I get the event's data and save the reservation details using ajax GET and POST which works just fine, but I would like to protect these routes and I do not know how to do that.

I have read a bit about Laravel Passport but the thing is these event websites do not require registration, a would be participant only needs to fill out a form and reserve the place for himself and Passport with it's token logic could only help me if there were authenticated users involved if I understood the documentation correct.

These are the api routes: Route::get('event/{id}', 'ApiRoutesController@show'); Route::post('reserve', 'ApiRoutesController@reserve');

I would like to prevent people (if they get to know my post method logic) from spamming my database with invalid place reservations by somehow protecting those routes,is that possible without Laravel Passport?

2
laravelapi
Even if you use Passport, you can have un-authenticated API routes (how would you POST to a login route, for example?) Passport handles the OAuth logic around API requests, but it's up to you where to use it. That all being said, what exactly does "spamming with invalid registrations" mean? What makes it invalid? How would they be spamming it? Etc etc. - Tim Lewis
First thank you for replying, by spamming I meant that if they know the logic behind my reservation(they could use browser dev tool to look at my loaded script that handles a reservation they would also see my api url that I am targeting when sending a post request to Laravel) method thay could reserve places belonging to that event with false,dummy data. - matetami

2 Answers

1
votes

Laravel provides predefined middleware that you can assign to routes or you can create your own custom middleware.

In your case I think the Illuminate\Routing\Middleware\ThrottleRequests middleware could be useful. It would limit the number of times someone can call a route within a certain time period from the same IP address (or with the same user account, but that's not applicable in your case).

To add it to your routes, you need to make sure the throttle middleware is in your routeMiddleware array in your App\Http\Kernel file, e.g.:

protected $routeMiddleware = [
  ... other middleware ...
  'throttle' => \Illuminate\Routing\Middleware\ThrottleRequests::class,
  ...
];

Then you need to add it to the routes you want to protect, for example:

 Route::get('event/{id}', 'ApiRoutesController@show')->middleware('throttle');

You can also specify the maximum number of attempts and the time period in minutes in the parameter to the middleware function like this:

  Route::get('event/{id}', 'ApiRoutesController@show')->middleware('throttle:10,1');
0
votes

You can always protect a route with an authentication middleware like so: 

Route::get('event/{id}', function () {
    // Only authenticated users may enter...
})->middleware('auth');

(as seen in the Laravel documentation)

The thing is that you now need a way to authenticate a user. Only then he will be able to call this route.

You said there is no way of registering... So how would you like to authenticate a person to use the API?

What I mean is you need some way of determining which request is legit and which is not. This could be something like an authenticated user or maybe even something like an API key you send via the HTTP header. You just need to be sure how you'd like to design that. Then we can assist you with ways how to implement that.