stackoom
  简体   繁体   中英

Securing my private API

 原文  2014-10-02 21:22:43       javascript/ api/ backbone.js/ laravel/ oauth

Question

I'm finishing an API for my own consumption, it's for communicating my own Javascript client made with Backbone with my API made with Laravel.

I have a root route that serves all the js necessary to load my app in the browser, and several routes under a group named "api/v1" that serves the JSON that feeds my client app.

I need that my user can erase data with that app, like soft deleting old users and modify other data, but some of that data contains sensitive information that I don't want to somebody else's see.

I've been reading some information about OAuth2, and I've seen that "Implicit Grant" is well suited for clients that can't maintain the confidentiality of the Secret key, but it requires that I send the user to a login platform and then redirect him back to the app. But I want to make that with my Client App without affecting my user workflow.

I've seen the "Resource Owner Password Credentials Grant" but it requires that my client stores the Secret Key of my app, and that's not secure.

I think that I'm missing something, can anybody point me in the right direction? thanks in advance

1 answers

solution1
 1 ACCPTED  

You can use Laravel's route filters to protect your routes from unauthorized users. However, since your Laravel application has now become an endpoint only, the frontend framework (in your case it's Backbone) will be doing the heavy lifting as far as authentication and authorization.

Once you have route filters set, that doesn't prevent authorized users from attempting to do actions that they are not authorized to do.

What I mean by the above is for example:

You have an API endpoint: /api/v1/users/159/edit

The endpoint is one of the RESTful 7, and can be used to edit a user. Any software engineer or developer knows that this is a RESTful endpoint, and if authorized by your application, could send a request with data to that endpoint.

You only want the user 159 to be able to do this action, or administrators.

A solution to this is roles/groups/permissions whatever you want to call them. Set the users permissions for your application in your Backbone application.

Read this great article (in AngularJS) on how to authenticate/authorize properly using frontend JavaScript frameworks. Like I said, it's in Angular, but it's the same idea.

Article: https://medium.com/opinionated-angularjs/techniques-for-authentication-in-angularjs-applications-7bbf0346acec

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Securing Private API keys in Javascript Web App Securing an HTTP API - No user password prompt and avoiding exposing the private key Securing my RESTful API with API Key + Secret On Express Securing API Token, is making it a var in my index.js possible? Securing my Node.js app's REST API? Securing AJAX API Securing Javascript API key Securing php api Securing public API with PHP Securing API with Node
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM