1

I have seen some videotutorials for example Laravel. There is talk of an API token that is in the database by a user and is used for each request in the url.

For example: www.domain.nl/api/user/1/edit?token=)#(UJRFe0wur0fMjewFJ

  1. Is this a safe way even when you want to update, delete or add?
  2. Can anyone intercept token?
  3. Whats the best way?

I hope someone can help me, thanks!

Finwe
  • 6,372
  • 2
  • 29
  • 44
Bas
  • 2,330
  • 4
  • 29
  • 68

3 Answers3

2

Is this a safe way even when you want to update, delete or add?

No, generally it is not. The token in URL can be read during the request all along the way. It would be kind-of safe if the token were unique and for one-time-use only.

Can anyone intercept token?

Yes, almost everyone along the route of the request, unless you use a secured HTTPS connection. Yet even then can the token be discovered, eg in access logs etc.

Furthermore, using the token i URL for GET requests means that the URL with the token will stay in your browser history which is an another potential security risk.

Whats the best way?

The best way would be to send the token data in a header or in a POST request field.

Useful links

See the SO QA "Is an HTTPS query string secure?"

Finwe
  • 6,372
  • 2
  • 29
  • 44
  • The best way ... header or in a POST request field. Header with a curl? And POST field in the business logic? – Bas Jul 12 '16 at 08:08
  • @Bas It surely depends on the particular situation. Being it an API as the URL suggests, I'd go with a token in a HTTP header as the API will be probably called via cURL or some other low-level HTTP library. – Finwe Jul 12 '16 at 08:17
  • I found this tutorial and it works fine https://www.youtube.com/watch?v=j2B5EfMvExU Is this a good way? – Bas Jul 12 '16 at 11:31
0

Doing authorization only by token in GET doesn't seem to be a good idea to me.

I would recommend using Laravel's Authentication middleware. https://laravel.com/docs/5.2/authentication

In Laravel there is a csrf token, which is not used to authenticate 'user' within a site though. Maybe they're talking about this one.

porkbrain
  • 720
  • 5
  • 16
0

1. Is this a safe way even when you want to update, delete or add?

Token is as sensitive as other credentials information like password. It can be used to access restricted privilege. Preferably, don't pass is by query string in URL.

2. Can anyone intercept token?

If you are using HTTPS, it will be secured. But your logs, browser caches will store the entire url including the token which is not nice.

3. Whats the best way?

Put it in Authorization fields in header. 

authorization : Bearer <YOUR TOKEN>

It will be encrypted when you are using HTTPS as well. It does not get cached and recorded in logs.

Laravel already supported this kind of request. It will know to access this automatically by using this Request method

public function bearerToken()
{
    $header = $this->header('Authorization', '');

    if (Str::startsWith($header, 'Bearer ')) {
        return Str::substr($header, 7);
    }
}
geckob
  • 7,680
  • 5
  • 30
  • 39
  • I found this tutorial and it works fine https://www.youtube.com/watch?v=j2B5EfMvExU Is this a good way? – Bas Jul 12 '16 at 11:31