Vue - Larave SPA Frontend api security & Restriction

Question

I'm facing an issue where a former frontend developer who worked on my project has access to my frontend APIs even after quitting. I've implemented Laravel Sanctum for authentication and authorization, along with a username and password system and bearer tokens. Additionally, I've set up Laravel Telescope to monitor the requests made to my API.

Despite these measures, I'm still concerned about the former developer having access to the API. I'm also providing the same APIs to my customers, which makes it even more critical to prevent unauthorized access.

What additional measures can I take to secure my APIs and prevent the former developer from accessing them? Any suggestions or best practices would be greatly appreciated. Thank you.

1. Using sanctum,
2. Using Bearer Token,
3. Username & password,
4. I am monitoring using laravel/telescope and saving logs etc. I am thinking adding one more "api token" too but not sure he can use postman etc and can take too.

Answer 1

If the user has signed an NDA, you shouldn't worry this one. But if not you should create a middleware for this developer, so you can restrict what write-actions this developer can do.

You can create a middleware in a way that is similar to this one:

php artisan make:middleware ReadAccessOnlyMiddleware

then inside the middleware

protected $usernames = ['username@mail.com'];

public function handle($request, Closure $next)
{
    $method = $request->method();


    if (($method !== 'POST' || $method !== 'PUT') && in_array($request->user()->email, $this->usernames)) {
        abort(403);
    }

    return $next($request);
}

Atleast you can control any actions that this developer can perform, or better yet create a request-only API key to this developer and restrict for " X days" in that way you can limit the developer interactions with the API.

it boils down to your company policy on why the developer has access to this API.