Process to secure my REST API with Laravel
I am in process to design an application for a customer where the User Interface will be in Angular 6 and the back-end will be in the API.Now as I am using angular (SPA) I communicate with server though JSON and REST API. Now need your suggestions on the process to secure my API.
My Analysis -
1) Personal Access Token is not a good idea as the tokens are always long lived. I have already done a demo on the same.
2) Consuming Your API With JavaScript is may be a good option but it used cookies and it will be good approach or not I am not sure.
I am open for any good suggestions including other approach like JWT also if it's proves logical.
Thans in Advance.
php laravel laravel-5
add a comment |
I am in process to design an application for a customer where the User Interface will be in Angular 6 and the back-end will be in the API.Now as I am using angular (SPA) I communicate with server though JSON and REST API. Now need your suggestions on the process to secure my API.
My Analysis -
1) Personal Access Token is not a good idea as the tokens are always long lived. I have already done a demo on the same.
2) Consuming Your API With JavaScript is may be a good option but it used cookies and it will be good approach or not I am not sure.
I am open for any good suggestions including other approach like JWT also if it's proves logical.
Thans in Advance.
php laravel laravel-5
This open-ended, opinion-based type of question is not really appropriate on SO, and it is likely to be closed. See what's on-topic, what's off-topic, and this linked question about suggestion/recommendation questions.
– Don't Panic
Nov 14 '18 at 15:12
add a comment |
I am in process to design an application for a customer where the User Interface will be in Angular 6 and the back-end will be in the API.Now as I am using angular (SPA) I communicate with server though JSON and REST API. Now need your suggestions on the process to secure my API.
My Analysis -
1) Personal Access Token is not a good idea as the tokens are always long lived. I have already done a demo on the same.
2) Consuming Your API With JavaScript is may be a good option but it used cookies and it will be good approach or not I am not sure.
I am open for any good suggestions including other approach like JWT also if it's proves logical.
Thans in Advance.
php laravel laravel-5
I am in process to design an application for a customer where the User Interface will be in Angular 6 and the back-end will be in the API.Now as I am using angular (SPA) I communicate with server though JSON and REST API. Now need your suggestions on the process to secure my API.
My Analysis -
1) Personal Access Token is not a good idea as the tokens are always long lived. I have already done a demo on the same.
2) Consuming Your API With JavaScript is may be a good option but it used cookies and it will be good approach or not I am not sure.
I am open for any good suggestions including other approach like JWT also if it's proves logical.
Thans in Advance.
php laravel laravel-5
php laravel laravel-5
asked Nov 14 '18 at 12:20
Souvik
4051722
4051722
This open-ended, opinion-based type of question is not really appropriate on SO, and it is likely to be closed. See what's on-topic, what's off-topic, and this linked question about suggestion/recommendation questions.
– Don't Panic
Nov 14 '18 at 15:12
add a comment |
This open-ended, opinion-based type of question is not really appropriate on SO, and it is likely to be closed. See what's on-topic, what's off-topic, and this linked question about suggestion/recommendation questions.
– Don't Panic
Nov 14 '18 at 15:12
This open-ended, opinion-based type of question is not really appropriate on SO, and it is likely to be closed. See what's on-topic, what's off-topic, and this linked question about suggestion/recommendation questions.
– Don't Panic
Nov 14 '18 at 15:12
This open-ended, opinion-based type of question is not really appropriate on SO, and it is likely to be closed. See what's on-topic, what's off-topic, and this linked question about suggestion/recommendation questions.
– Don't Panic
Nov 14 '18 at 15:12
add a comment |
1 Answer
1
active
oldest
votes
I suggest you to use Laravel - Passport
. Its is a build in system in laravel
framework. So you can get user personal token and save it in your local storage
.
There is a lot of way to secure you RESTful
api , but before that you need to understand exactly which systems will interact with you api.
WIth my API only my oqn developed mobile application and web project will interact. Now in passport multiple approaches are there. So, which approach will be better like 2 approaches are mentioned in the Question already
– Souvik
Nov 14 '18 at 15:02
1
I dont suggest you to use cookie because the cookie is editable for users , also that is not recomended to save user state in browser. the person access token are not always long lived. you can set the duration and update expiration if you need
– Yur Gasparyan
Nov 14 '18 at 15:38
I think 'Password Grant Tokens' is the best option for my solution. But I don't want to share the client id and secret with my local applications. So, is it possible that user name and password to be send by the web app then after receiving the same in laravel controller I will fire a post request from the controller only with the client id and secret. Lastly will it uses the user model to fetch the records because I have updated the user model as per my requirement.
– Souvik
Nov 14 '18 at 15:39
Also personal access tokens are long lived and time can not be changed as per laravel documentations.
– Souvik
Nov 14 '18 at 15:41
Hey I have implemented the OAUTH with grant option and it's working as expected. Just one more question out of context of oauth. In normal project we have middle ware to validate all request (As per configuration), Controller to handle all the request and Model to connect with database. But how I can manage the service layer where I will right my business logic like what processing needed before sending the data. Is laravel have any option to support the same.
– Souvik
Nov 15 '18 at 5:44
add a comment |
Your Answer
StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53300134%2fprocess-to-secure-my-rest-api-with-laravel%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
I suggest you to use Laravel - Passport
. Its is a build in system in laravel
framework. So you can get user personal token and save it in your local storage
.
There is a lot of way to secure you RESTful
api , but before that you need to understand exactly which systems will interact with you api.
WIth my API only my oqn developed mobile application and web project will interact. Now in passport multiple approaches are there. So, which approach will be better like 2 approaches are mentioned in the Question already
– Souvik
Nov 14 '18 at 15:02
1
I dont suggest you to use cookie because the cookie is editable for users , also that is not recomended to save user state in browser. the person access token are not always long lived. you can set the duration and update expiration if you need
– Yur Gasparyan
Nov 14 '18 at 15:38
I think 'Password Grant Tokens' is the best option for my solution. But I don't want to share the client id and secret with my local applications. So, is it possible that user name and password to be send by the web app then after receiving the same in laravel controller I will fire a post request from the controller only with the client id and secret. Lastly will it uses the user model to fetch the records because I have updated the user model as per my requirement.
– Souvik
Nov 14 '18 at 15:39
Also personal access tokens are long lived and time can not be changed as per laravel documentations.
– Souvik
Nov 14 '18 at 15:41
Hey I have implemented the OAUTH with grant option and it's working as expected. Just one more question out of context of oauth. In normal project we have middle ware to validate all request (As per configuration), Controller to handle all the request and Model to connect with database. But how I can manage the service layer where I will right my business logic like what processing needed before sending the data. Is laravel have any option to support the same.
– Souvik
Nov 15 '18 at 5:44
add a comment |
I suggest you to use Laravel - Passport
. Its is a build in system in laravel
framework. So you can get user personal token and save it in your local storage
.
There is a lot of way to secure you RESTful
api , but before that you need to understand exactly which systems will interact with you api.
WIth my API only my oqn developed mobile application and web project will interact. Now in passport multiple approaches are there. So, which approach will be better like 2 approaches are mentioned in the Question already
– Souvik
Nov 14 '18 at 15:02
1
I dont suggest you to use cookie because the cookie is editable for users , also that is not recomended to save user state in browser. the person access token are not always long lived. you can set the duration and update expiration if you need
– Yur Gasparyan
Nov 14 '18 at 15:38
I think 'Password Grant Tokens' is the best option for my solution. But I don't want to share the client id and secret with my local applications. So, is it possible that user name and password to be send by the web app then after receiving the same in laravel controller I will fire a post request from the controller only with the client id and secret. Lastly will it uses the user model to fetch the records because I have updated the user model as per my requirement.
– Souvik
Nov 14 '18 at 15:39
Also personal access tokens are long lived and time can not be changed as per laravel documentations.
– Souvik
Nov 14 '18 at 15:41
Hey I have implemented the OAUTH with grant option and it's working as expected. Just one more question out of context of oauth. In normal project we have middle ware to validate all request (As per configuration), Controller to handle all the request and Model to connect with database. But how I can manage the service layer where I will right my business logic like what processing needed before sending the data. Is laravel have any option to support the same.
– Souvik
Nov 15 '18 at 5:44
add a comment |
I suggest you to use Laravel - Passport
. Its is a build in system in laravel
framework. So you can get user personal token and save it in your local storage
.
There is a lot of way to secure you RESTful
api , but before that you need to understand exactly which systems will interact with you api.
I suggest you to use Laravel - Passport
. Its is a build in system in laravel
framework. So you can get user personal token and save it in your local storage
.
There is a lot of way to secure you RESTful
api , but before that you need to understand exactly which systems will interact with you api.
answered Nov 14 '18 at 12:39
Yur Gasparyan
427311
427311
WIth my API only my oqn developed mobile application and web project will interact. Now in passport multiple approaches are there. So, which approach will be better like 2 approaches are mentioned in the Question already
– Souvik
Nov 14 '18 at 15:02
1
I dont suggest you to use cookie because the cookie is editable for users , also that is not recomended to save user state in browser. the person access token are not always long lived. you can set the duration and update expiration if you need
– Yur Gasparyan
Nov 14 '18 at 15:38
I think 'Password Grant Tokens' is the best option for my solution. But I don't want to share the client id and secret with my local applications. So, is it possible that user name and password to be send by the web app then after receiving the same in laravel controller I will fire a post request from the controller only with the client id and secret. Lastly will it uses the user model to fetch the records because I have updated the user model as per my requirement.
– Souvik
Nov 14 '18 at 15:39
Also personal access tokens are long lived and time can not be changed as per laravel documentations.
– Souvik
Nov 14 '18 at 15:41
Hey I have implemented the OAUTH with grant option and it's working as expected. Just one more question out of context of oauth. In normal project we have middle ware to validate all request (As per configuration), Controller to handle all the request and Model to connect with database. But how I can manage the service layer where I will right my business logic like what processing needed before sending the data. Is laravel have any option to support the same.
– Souvik
Nov 15 '18 at 5:44
add a comment |
WIth my API only my oqn developed mobile application and web project will interact. Now in passport multiple approaches are there. So, which approach will be better like 2 approaches are mentioned in the Question already
– Souvik
Nov 14 '18 at 15:02
1
I dont suggest you to use cookie because the cookie is editable for users , also that is not recomended to save user state in browser. the person access token are not always long lived. you can set the duration and update expiration if you need
– Yur Gasparyan
Nov 14 '18 at 15:38
I think 'Password Grant Tokens' is the best option for my solution. But I don't want to share the client id and secret with my local applications. So, is it possible that user name and password to be send by the web app then after receiving the same in laravel controller I will fire a post request from the controller only with the client id and secret. Lastly will it uses the user model to fetch the records because I have updated the user model as per my requirement.
– Souvik
Nov 14 '18 at 15:39
Also personal access tokens are long lived and time can not be changed as per laravel documentations.
– Souvik
Nov 14 '18 at 15:41
Hey I have implemented the OAUTH with grant option and it's working as expected. Just one more question out of context of oauth. In normal project we have middle ware to validate all request (As per configuration), Controller to handle all the request and Model to connect with database. But how I can manage the service layer where I will right my business logic like what processing needed before sending the data. Is laravel have any option to support the same.
– Souvik
Nov 15 '18 at 5:44
WIth my API only my oqn developed mobile application and web project will interact. Now in passport multiple approaches are there. So, which approach will be better like 2 approaches are mentioned in the Question already
– Souvik
Nov 14 '18 at 15:02
WIth my API only my oqn developed mobile application and web project will interact. Now in passport multiple approaches are there. So, which approach will be better like 2 approaches are mentioned in the Question already
– Souvik
Nov 14 '18 at 15:02
1
1
I dont suggest you to use cookie because the cookie is editable for users , also that is not recomended to save user state in browser. the person access token are not always long lived. you can set the duration and update expiration if you need
– Yur Gasparyan
Nov 14 '18 at 15:38
I dont suggest you to use cookie because the cookie is editable for users , also that is not recomended to save user state in browser. the person access token are not always long lived. you can set the duration and update expiration if you need
– Yur Gasparyan
Nov 14 '18 at 15:38
I think 'Password Grant Tokens' is the best option for my solution. But I don't want to share the client id and secret with my local applications. So, is it possible that user name and password to be send by the web app then after receiving the same in laravel controller I will fire a post request from the controller only with the client id and secret. Lastly will it uses the user model to fetch the records because I have updated the user model as per my requirement.
– Souvik
Nov 14 '18 at 15:39
I think 'Password Grant Tokens' is the best option for my solution. But I don't want to share the client id and secret with my local applications. So, is it possible that user name and password to be send by the web app then after receiving the same in laravel controller I will fire a post request from the controller only with the client id and secret. Lastly will it uses the user model to fetch the records because I have updated the user model as per my requirement.
– Souvik
Nov 14 '18 at 15:39
Also personal access tokens are long lived and time can not be changed as per laravel documentations.
– Souvik
Nov 14 '18 at 15:41
Also personal access tokens are long lived and time can not be changed as per laravel documentations.
– Souvik
Nov 14 '18 at 15:41
Hey I have implemented the OAUTH with grant option and it's working as expected. Just one more question out of context of oauth. In normal project we have middle ware to validate all request (As per configuration), Controller to handle all the request and Model to connect with database. But how I can manage the service layer where I will right my business logic like what processing needed before sending the data. Is laravel have any option to support the same.
– Souvik
Nov 15 '18 at 5:44
Hey I have implemented the OAUTH with grant option and it's working as expected. Just one more question out of context of oauth. In normal project we have middle ware to validate all request (As per configuration), Controller to handle all the request and Model to connect with database. But how I can manage the service layer where I will right my business logic like what processing needed before sending the data. Is laravel have any option to support the same.
– Souvik
Nov 15 '18 at 5:44
add a comment |
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53300134%2fprocess-to-secure-my-rest-api-with-laravel%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
This open-ended, opinion-based type of question is not really appropriate on SO, and it is likely to be closed. See what's on-topic, what's off-topic, and this linked question about suggestion/recommendation questions.
– Don't Panic
Nov 14 '18 at 15:12