0

I started recently working on a personal project with Laravel as an API and AngularJS for the frontend. It is the first time I design an API myself and everything I do, is through tutorials and videos.

I ended up with a question in my head about security and url manipulation, but I understand that it could be a generic question, so I will use specific examples and create other questions with different cases.

Let's say that I have a point system in my web app where after a specific action, I have to give points to the user.

First, we have the AngularJS code as a service:

PointsServices.$inject = ['$http', '$cookies', 'API_Base'];
    function PointsServices($http, $cookies, API_Base) {
      var service = this;

      service.addPoints = function(points, onSuccess, onError) {
          $http.get(API_Base + 'user/addpoints?points='+points,
          {
              headers: { 'Authorization': 'Bearer '+$cookies.get('token')}
          }).
          then(function(response) {

              onSuccess(response);

          }, function(response) {

              onError(response);

          });
      }
    }

It is just a service where it gets the number of points to insert on the user. Then it takes from the cookies the JWT token and add it to headers for backend authentication. Let's go now on the backend with Laravel:

class PointsController extends Controller
{

    public function addPoints(Request $request)
    {
      $user = \Helpers::getUserFromToken();

      $points = $request->input('points');
      $user->points += $points

      $user->save();

      return response()->json(['message' => 'User's points added', 'status' => '200']);
    }
}

And the \Helpers::getUserFromToken(); is a helper function with JWT where I authenticate the user like this:

public static function getUserFromToken()
{
    $token = JWTAuth::parseToken();

    try {
        if (!$user = $token->authenticate()) {
            return response()->json(['user_not_found'], 404);
        }
    } catch (Tymon\JWTAuth\Exceptions\TokenExpiredException $e) {
        return response()->json(['token_expired'], $e->getStatusCode());
    } catch (Tymon\JWTAuth\Exceptions\TokenInvalidException $e) {
        return response()->json(['token_invalid'], $e->getStatusCode());
    } catch (Tymon\JWTAuth\Exceptions\JWTException $e) {
        return response()->json(['token_absent'], $e->getStatusCode());
    }

    return $user;
}

And now, let's wear the hat of the evil user. I open the developer console and go on the network tab, or just on the source code. I check the exact url that the app uses and take the token from the cookies or local storage or directly from the headers after a successful call. Then, I use postman or any other software to call the API with the token of my user account as:

First case:

  1. Add any number of points on my account directly from the url by changing the value of points variable.
  2. Instead of changing the points variable, I write a script where once every 5-10 or random minutes, I just call the API url to give me just one point.

How should I avoid those cases of url manipulation and what I can do, in specific for Laravel 5 and AngularJS 1.5?

Tasos
  • 7,325
  • 18
  • 83
  • 176
  • It's difficult to answer this question without understanding the actions by which points are accrued. Check this out: http://stackoverflow.com/a/5250687/7377984 – Paras Jan 16 '17 at 19:21

1 Answers1

0

You have to let your server/back-end (Laravel in your case) calculate the points based on your business logic.

So for example if you are giving points to the user based on a CheckIn activity, you have to send a request to the server to do the logic and determine if this user deserves points, so you can send something like:

activity_type=checkin&location_id=123

Droid
  • 90
  • 1
  • 5
  • This could solve the first part, but how you prevent a user to create API calls manually? Let's say with the above URL he could either call the same URL or change the location Id – Tasos Jan 15 '17 at 20:17