security concern using nuxt js and laravel API

1
votes

I'm working on a big project using laravel API and Nuxt Js, never used API before and having concerns regarding the safety of the website.

I'm using JWT (JSON Web Token Authentication for Laravel).

for example when a user updates it's profile password, there is a password and oldpassword with user Id (taken from Nuxt/Auth) sent to API, I'm wondering how safe is it? can some one intercept the request and change ID to another user's ID? this would allow them to change data for other people or post other stuff without accessing other peoples account. if it's not safe, how can this be prevented?

due to only authenticating via nuxt/auth using jwt, there is no authentication validating on server side for other requests beside logging in, should I implement laravel Auth also for login and Auth::check() for every single request?

2
laravelnuxt.js
"should I implement laravel Auth also for login and Auth::check() for every single request?" Yes, this can be done through the auth middleware for each request.Aidan
All data sent back from the user should be untrusted, you should use sessions and auth()->user() to determine the user and variables you may have set. The view can also hold information you can access.Aidan

2 Answers

1
votes

You are on the right track using JWT. About how secure it is, is to ask yourself, how do you send the data from the frontend, did you validate each of the given input or not, and how the token is stored, and where, does the token static or has an expiration date that needs a refresh every each the given interval.

To avoid a user updating another user's profile, you need to add more security layer like model policy, or gate, and do check the sender id with the requested data's owner id (or user id). Laravel has you covered with that in mind. Please refer to the docs.

You can also make a refresh token method (i believe it was already implemented on the JWT package) and add an expiration date for each the given token then do refresh from the client side when it expires, it might seems like a bit of an extra work, but it is recommended and considered as good practice for security.

And you don't need to do Auth::check() all the time, just use a middleware provided by the plugin you are using and use auth()->user() or Auth::user() to get the current authenticated user's data.

0
votes

after hours of digging, found the best and easy way: protect routes which needs protecting with middleware('auth:api') and in every axios post or get that requires user validation, attach "Authorization" header with your token from Auth/Nuxt which is unique for every user.