How to protect “register” API route in Laravel?

Question

I'm building a back end in Laravel for an Android/iPhone APP. I am currently usine JWT-AUTH package for authentication but I have noticed that /register route is pretty much open and if someone wanted, they could create a rogue app and spam my back end with fake registrations.

Is there a way to prevent it? I do not want to use Passport because I would then have to hardcode client_id and client_secret in the mobile app anyway.

Answer 1

The best way would be to alter the constructor of app/Http/Controllers/Auth/RegisterController.php to use the auth middleware instead of guest .

/**
 * Create a new controller instance.
 *
 * @return void
 */
public function __construct()
{
    $this->middleware('auth');
}

This will make it so a user has to be logged in in order to view the register route.

An alternative method would be to manually copy the routes (without the registration routes) from the auth() method in Illuminate\\Routing\\Router.php and replace Auth::routes() in your web routes file with the following

// Authentication Routes...
Route::get('login', 'Auth\LoginController@showLoginForm')->name('login');
Route::post('login', 'Auth\LoginController@login');
Route::post('logout', 'Auth\LoginController@logout')->name('logout');

// Password Reset Routes...
Route::get('password/reset', 'Auth\ForgotPasswordController@showLinkRequestForm')->name('password.request');
Route::post('password/email', 'Auth\ForgotPasswordController@sendResetLinkEmail')->name('password.email');
Route::get('password/reset/{token}', 'Auth\ResetPasswordController@showResetForm')->name('password.reset');
Route::post('password/reset', 'Auth\ResetPasswordController@reset');

Doing this will completely remove the registration routes.