Protecting API endpoint when developing two separate apps, Angular app & Laravel app

Question

I've picked up Angular and am now developing two separate applications, the frontend, Angular app, and the backend, the Laravel app.

As of now my backend app is just an API endpoint that handles requests, database interaction, logic, validation, etc.

However, what stops someone from requesting /api/users/1 and getting that data?

Right now there is nothing in place that prevents this from occurring.

What's the best way to prevent this from occurring and verify the request is sent through the application and not through something like http://hurl.it from some random user?

Answer 1

You should first evaluate what routes need to be protected, and who should have access. Sometimes it might be fine to leave them open to the public.

Once you've figured that out you have a few options. I personally lean towards the oAuth 2.0 protocol. Some people find it to be over kill. Then there is also WSSE, I personally feel like today there is far better resources explaining the use of oAuth and would probably be easier to follow.

You can google around for oAuth server libraries for laravel. One such is: https://github.com/lucadegasperi/oauth2-server-laravel

You will also probably want to enable CORS if your angular app is on a different domain from your api. IE: api.example.com (holds api). And example.com is where your app lives.

For CORS laravel also has some packages, one such being: https://github.com/barryvdh/laravel-cors