Process to secure my REST API with Laravel












1














I am in process to design an application for a customer where the User Interface will be in Angular 6 and the back-end will be in the API.Now as I am using angular (SPA) I communicate with server though JSON and REST API. Now need your suggestions on the process to secure my API.



My Analysis -



1) Personal Access Token is not a good idea as the tokens are always long lived. I have already done a demo on the same.



2) Consuming Your API With JavaScript is may be a good option but it used cookies and it will be good approach or not I am not sure.



I am open for any good suggestions including other approach like JWT also if it's proves logical.



Thans in Advance.










share|improve this question






















  • This open-ended, opinion-based type of question is not really appropriate on SO, and it is likely to be closed. See what's on-topic, what's off-topic, and this linked question about suggestion/recommendation questions.
    – Don't Panic
    Nov 14 '18 at 15:12
















1














I am in process to design an application for a customer where the User Interface will be in Angular 6 and the back-end will be in the API.Now as I am using angular (SPA) I communicate with server though JSON and REST API. Now need your suggestions on the process to secure my API.



My Analysis -



1) Personal Access Token is not a good idea as the tokens are always long lived. I have already done a demo on the same.



2) Consuming Your API With JavaScript is may be a good option but it used cookies and it will be good approach or not I am not sure.



I am open for any good suggestions including other approach like JWT also if it's proves logical.



Thans in Advance.










share|improve this question






















  • This open-ended, opinion-based type of question is not really appropriate on SO, and it is likely to be closed. See what's on-topic, what's off-topic, and this linked question about suggestion/recommendation questions.
    – Don't Panic
    Nov 14 '18 at 15:12














1












1








1







I am in process to design an application for a customer where the User Interface will be in Angular 6 and the back-end will be in the API.Now as I am using angular (SPA) I communicate with server though JSON and REST API. Now need your suggestions on the process to secure my API.



My Analysis -



1) Personal Access Token is not a good idea as the tokens are always long lived. I have already done a demo on the same.



2) Consuming Your API With JavaScript is may be a good option but it used cookies and it will be good approach or not I am not sure.



I am open for any good suggestions including other approach like JWT also if it's proves logical.



Thans in Advance.










share|improve this question













I am in process to design an application for a customer where the User Interface will be in Angular 6 and the back-end will be in the API.Now as I am using angular (SPA) I communicate with server though JSON and REST API. Now need your suggestions on the process to secure my API.



My Analysis -



1) Personal Access Token is not a good idea as the tokens are always long lived. I have already done a demo on the same.



2) Consuming Your API With JavaScript is may be a good option but it used cookies and it will be good approach or not I am not sure.



I am open for any good suggestions including other approach like JWT also if it's proves logical.



Thans in Advance.







php laravel laravel-5






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Nov 14 '18 at 12:20









Souvik

4051722




4051722












  • This open-ended, opinion-based type of question is not really appropriate on SO, and it is likely to be closed. See what's on-topic, what's off-topic, and this linked question about suggestion/recommendation questions.
    – Don't Panic
    Nov 14 '18 at 15:12


















  • This open-ended, opinion-based type of question is not really appropriate on SO, and it is likely to be closed. See what's on-topic, what's off-topic, and this linked question about suggestion/recommendation questions.
    – Don't Panic
    Nov 14 '18 at 15:12
















This open-ended, opinion-based type of question is not really appropriate on SO, and it is likely to be closed. See what's on-topic, what's off-topic, and this linked question about suggestion/recommendation questions.
– Don't Panic
Nov 14 '18 at 15:12




This open-ended, opinion-based type of question is not really appropriate on SO, and it is likely to be closed. See what's on-topic, what's off-topic, and this linked question about suggestion/recommendation questions.
– Don't Panic
Nov 14 '18 at 15:12












1 Answer
1






active

oldest

votes


















1














I suggest you to use Laravel - Passport. Its is a build in system in laravel framework. So you can get user personal token and save it in your local storage.
There is a lot of way to secure you RESTful api , but before that you need to understand exactly which systems will interact with you api.






share|improve this answer





















  • WIth my API only my oqn developed mobile application and web project will interact. Now in passport multiple approaches are there. So, which approach will be better like 2 approaches are mentioned in the Question already
    – Souvik
    Nov 14 '18 at 15:02






  • 1




    I dont suggest you to use cookie because the cookie is editable for users , also that is not recomended to save user state in browser. the person access token are not always long lived. you can set the duration and update expiration if you need
    – Yur Gasparyan
    Nov 14 '18 at 15:38












  • I think 'Password Grant Tokens' is the best option for my solution. But I don't want to share the client id and secret with my local applications. So, is it possible that user name and password to be send by the web app then after receiving the same in laravel controller I will fire a post request from the controller only with the client id and secret. Lastly will it uses the user model to fetch the records because I have updated the user model as per my requirement.
    – Souvik
    Nov 14 '18 at 15:39












  • Also personal access tokens are long lived and time can not be changed as per laravel documentations.
    – Souvik
    Nov 14 '18 at 15:41










  • Hey I have implemented the OAUTH with grant option and it's working as expected. Just one more question out of context of oauth. In normal project we have middle ware to validate all request (As per configuration), Controller to handle all the request and Model to connect with database. But how I can manage the service layer where I will right my business logic like what processing needed before sending the data. Is laravel have any option to support the same.
    – Souvik
    Nov 15 '18 at 5:44











Your Answer






StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");

StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});














draft saved

draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53300134%2fprocess-to-secure-my-rest-api-with-laravel%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown

























1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes









1














I suggest you to use Laravel - Passport. Its is a build in system in laravel framework. So you can get user personal token and save it in your local storage.
There is a lot of way to secure you RESTful api , but before that you need to understand exactly which systems will interact with you api.






share|improve this answer





















  • WIth my API only my oqn developed mobile application and web project will interact. Now in passport multiple approaches are there. So, which approach will be better like 2 approaches are mentioned in the Question already
    – Souvik
    Nov 14 '18 at 15:02






  • 1




    I dont suggest you to use cookie because the cookie is editable for users , also that is not recomended to save user state in browser. the person access token are not always long lived. you can set the duration and update expiration if you need
    – Yur Gasparyan
    Nov 14 '18 at 15:38












  • I think 'Password Grant Tokens' is the best option for my solution. But I don't want to share the client id and secret with my local applications. So, is it possible that user name and password to be send by the web app then after receiving the same in laravel controller I will fire a post request from the controller only with the client id and secret. Lastly will it uses the user model to fetch the records because I have updated the user model as per my requirement.
    – Souvik
    Nov 14 '18 at 15:39












  • Also personal access tokens are long lived and time can not be changed as per laravel documentations.
    – Souvik
    Nov 14 '18 at 15:41










  • Hey I have implemented the OAUTH with grant option and it's working as expected. Just one more question out of context of oauth. In normal project we have middle ware to validate all request (As per configuration), Controller to handle all the request and Model to connect with database. But how I can manage the service layer where I will right my business logic like what processing needed before sending the data. Is laravel have any option to support the same.
    – Souvik
    Nov 15 '18 at 5:44
















1














I suggest you to use Laravel - Passport. Its is a build in system in laravel framework. So you can get user personal token and save it in your local storage.
There is a lot of way to secure you RESTful api , but before that you need to understand exactly which systems will interact with you api.






share|improve this answer





















  • WIth my API only my oqn developed mobile application and web project will interact. Now in passport multiple approaches are there. So, which approach will be better like 2 approaches are mentioned in the Question already
    – Souvik
    Nov 14 '18 at 15:02






  • 1




    I dont suggest you to use cookie because the cookie is editable for users , also that is not recomended to save user state in browser. the person access token are not always long lived. you can set the duration and update expiration if you need
    – Yur Gasparyan
    Nov 14 '18 at 15:38












  • I think 'Password Grant Tokens' is the best option for my solution. But I don't want to share the client id and secret with my local applications. So, is it possible that user name and password to be send by the web app then after receiving the same in laravel controller I will fire a post request from the controller only with the client id and secret. Lastly will it uses the user model to fetch the records because I have updated the user model as per my requirement.
    – Souvik
    Nov 14 '18 at 15:39












  • Also personal access tokens are long lived and time can not be changed as per laravel documentations.
    – Souvik
    Nov 14 '18 at 15:41










  • Hey I have implemented the OAUTH with grant option and it's working as expected. Just one more question out of context of oauth. In normal project we have middle ware to validate all request (As per configuration), Controller to handle all the request and Model to connect with database. But how I can manage the service layer where I will right my business logic like what processing needed before sending the data. Is laravel have any option to support the same.
    – Souvik
    Nov 15 '18 at 5:44














1












1








1






I suggest you to use Laravel - Passport. Its is a build in system in laravel framework. So you can get user personal token and save it in your local storage.
There is a lot of way to secure you RESTful api , but before that you need to understand exactly which systems will interact with you api.






share|improve this answer












I suggest you to use Laravel - Passport. Its is a build in system in laravel framework. So you can get user personal token and save it in your local storage.
There is a lot of way to secure you RESTful api , but before that you need to understand exactly which systems will interact with you api.







share|improve this answer












share|improve this answer



share|improve this answer










answered Nov 14 '18 at 12:39









Yur Gasparyan

427311




427311












  • WIth my API only my oqn developed mobile application and web project will interact. Now in passport multiple approaches are there. So, which approach will be better like 2 approaches are mentioned in the Question already
    – Souvik
    Nov 14 '18 at 15:02






  • 1




    I dont suggest you to use cookie because the cookie is editable for users , also that is not recomended to save user state in browser. the person access token are not always long lived. you can set the duration and update expiration if you need
    – Yur Gasparyan
    Nov 14 '18 at 15:38












  • I think 'Password Grant Tokens' is the best option for my solution. But I don't want to share the client id and secret with my local applications. So, is it possible that user name and password to be send by the web app then after receiving the same in laravel controller I will fire a post request from the controller only with the client id and secret. Lastly will it uses the user model to fetch the records because I have updated the user model as per my requirement.
    – Souvik
    Nov 14 '18 at 15:39












  • Also personal access tokens are long lived and time can not be changed as per laravel documentations.
    – Souvik
    Nov 14 '18 at 15:41










  • Hey I have implemented the OAUTH with grant option and it's working as expected. Just one more question out of context of oauth. In normal project we have middle ware to validate all request (As per configuration), Controller to handle all the request and Model to connect with database. But how I can manage the service layer where I will right my business logic like what processing needed before sending the data. Is laravel have any option to support the same.
    – Souvik
    Nov 15 '18 at 5:44


















  • WIth my API only my oqn developed mobile application and web project will interact. Now in passport multiple approaches are there. So, which approach will be better like 2 approaches are mentioned in the Question already
    – Souvik
    Nov 14 '18 at 15:02






  • 1




    I dont suggest you to use cookie because the cookie is editable for users , also that is not recomended to save user state in browser. the person access token are not always long lived. you can set the duration and update expiration if you need
    – Yur Gasparyan
    Nov 14 '18 at 15:38












  • I think 'Password Grant Tokens' is the best option for my solution. But I don't want to share the client id and secret with my local applications. So, is it possible that user name and password to be send by the web app then after receiving the same in laravel controller I will fire a post request from the controller only with the client id and secret. Lastly will it uses the user model to fetch the records because I have updated the user model as per my requirement.
    – Souvik
    Nov 14 '18 at 15:39












  • Also personal access tokens are long lived and time can not be changed as per laravel documentations.
    – Souvik
    Nov 14 '18 at 15:41










  • Hey I have implemented the OAUTH with grant option and it's working as expected. Just one more question out of context of oauth. In normal project we have middle ware to validate all request (As per configuration), Controller to handle all the request and Model to connect with database. But how I can manage the service layer where I will right my business logic like what processing needed before sending the data. Is laravel have any option to support the same.
    – Souvik
    Nov 15 '18 at 5:44
















WIth my API only my oqn developed mobile application and web project will interact. Now in passport multiple approaches are there. So, which approach will be better like 2 approaches are mentioned in the Question already
– Souvik
Nov 14 '18 at 15:02




WIth my API only my oqn developed mobile application and web project will interact. Now in passport multiple approaches are there. So, which approach will be better like 2 approaches are mentioned in the Question already
– Souvik
Nov 14 '18 at 15:02




1




1




I dont suggest you to use cookie because the cookie is editable for users , also that is not recomended to save user state in browser. the person access token are not always long lived. you can set the duration and update expiration if you need
– Yur Gasparyan
Nov 14 '18 at 15:38






I dont suggest you to use cookie because the cookie is editable for users , also that is not recomended to save user state in browser. the person access token are not always long lived. you can set the duration and update expiration if you need
– Yur Gasparyan
Nov 14 '18 at 15:38














I think 'Password Grant Tokens' is the best option for my solution. But I don't want to share the client id and secret with my local applications. So, is it possible that user name and password to be send by the web app then after receiving the same in laravel controller I will fire a post request from the controller only with the client id and secret. Lastly will it uses the user model to fetch the records because I have updated the user model as per my requirement.
– Souvik
Nov 14 '18 at 15:39






I think 'Password Grant Tokens' is the best option for my solution. But I don't want to share the client id and secret with my local applications. So, is it possible that user name and password to be send by the web app then after receiving the same in laravel controller I will fire a post request from the controller only with the client id and secret. Lastly will it uses the user model to fetch the records because I have updated the user model as per my requirement.
– Souvik
Nov 14 '18 at 15:39














Also personal access tokens are long lived and time can not be changed as per laravel documentations.
– Souvik
Nov 14 '18 at 15:41




Also personal access tokens are long lived and time can not be changed as per laravel documentations.
– Souvik
Nov 14 '18 at 15:41












Hey I have implemented the OAUTH with grant option and it's working as expected. Just one more question out of context of oauth. In normal project we have middle ware to validate all request (As per configuration), Controller to handle all the request and Model to connect with database. But how I can manage the service layer where I will right my business logic like what processing needed before sending the data. Is laravel have any option to support the same.
– Souvik
Nov 15 '18 at 5:44




Hey I have implemented the OAUTH with grant option and it's working as expected. Just one more question out of context of oauth. In normal project we have middle ware to validate all request (As per configuration), Controller to handle all the request and Model to connect with database. But how I can manage the service layer where I will right my business logic like what processing needed before sending the data. Is laravel have any option to support the same.
– Souvik
Nov 15 '18 at 5:44


















draft saved

draft discarded




















































Thanks for contributing an answer to Stack Overflow!


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.





Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


Please pay close attention to the following guidance:


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53300134%2fprocess-to-secure-my-rest-api-with-laravel%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







Popular posts from this blog

Guess what letter conforming each word

Port of Spain

Run scheduled task as local user group (not BUILTIN)