Reputation: 4895
Build a REST API available to authorized apps only (like Facebook) with Laravel
I'm building a REST API with Laravel and now I have an URL like
api.example.com/posts/3/comments
Now I'm wondering how to secure this API because as it's done now, anyone trying to make a GET, POST, ... request on this URL will get positive results.
I want this API to be available to authorized apps only (like Facebook API). For now, those apps are just my website and my iOS app.
I'm thinking about creating a table applications to store application's keys. But I don't know how to authenticate an app without publishing it key (which is obviously insecure).
Any suggestion? Thank you.
Upvotes: 1
Views: 83
Answers (1)
Reputation: 3083
I would recommend that you use something like JWT. Using it, you create and store a token locally on the device, then every time someone makes a call to the server, you check the token and make sure that they are who they claim to be. You can store tokens for expiration if you like. They're typically used in stateless apps, so you will need to move away from the concept of a server session. You can use Middlewares to filter HTTP requests entering your application.
Upvotes: 1
Related Questions
- Authenticating against a REST API with iOS client using Facebook SSO as the only login mechanism
- How to use authentication method to access Laravel API with Swift?
- What's the best approach for generating a new API key?
- How do I restrict access to my REST API to only authorized clients?
- Restful API - Check if Facebook access token is valid and authorized to use APP
- REST API for website which uses Facebook for authentication
- How to Connect Vue.js App to Laravel REST API After Heroku Deployment
- Secure rest api with 3rd party login provider