How to secure API endpoints without user authentication

Question

I am creating a SPA using angular2 & lumen 5.4. Lets just say there are two routes. One GET route that returns JSON data to display, and one POST route for uploading files to the database. Its an in-house app that will have no login (this is out of my hands).

How can I properly secure the endpoints? For the POST upload form I could include a hidden token but that isn't secure at all. All of the authentication tutorials for lumen involve user login which is not an option for me.

Any examples or tutorials would really help since I have always used user authentication in the past

Security without any sort of credentials? I mean there is token based authentication but that token still needs to be based on something. — Alex Harris, May 23 '17 at 16:18
Yes, without credentials. I cant do anything about it since I'm building the app for somebody else. This is how they want it. — ghan, May 23 '17 at 16:59
Without any kind of credentials this will be hard to implement. Maybe you could limit app to internal ip adress (middleware), but it is not bulletproof, neither is nice solution.. — Tim, May 23 '17 at 18:10

wujt · Answer 1 · 2017-05-29T10:32:16.447

7

You can use simple middleware and MySQL, e.g.:

<?php
namespace App\Http\Middleware; 

use App\ApiKey;
use Closure;

class ApiMiddleware
{
    /**
     * Handle an incoming request.
     *
     * @param  \Illuminate\Http\Request $request
     * @param  \Closure $next
     * @return mixed
     */
    public function handle($request, Closure $next)
    {
        $tokenValid = ApiKey::where('api_key', $request->header('Authorization'))->exists();

        if (!$tokenValid) {
            return response()->json('Unauthorized', 401);
        } 

        return $next($request);
    }
}

API_KEY could be some random string, just use str_random(64); and save it to database. Then with every request you should attach this token as a Authorization header. Simple and secure.

At least but not last, don't forget to register it afterwards.

edited May 29 '17 at 10:32

answered May 23 '17 at 21:32

wujt

1,278
2
13
21

This is definitely more secure than what I was going to do. I' off work now and wont be able to implement it until tomorrow but quick question... Would it be more secure to encrypt/hash the `API_KEY`? And would it be more secure if I did something like have a hidden field on the front end (which is public I know) and an `API_KEY` on the back end and you have to unhash/decrypt both and combine them? – ghan May 23 '17 at 22:14
Of course you can use `encrypt()` and `decrypt()` helpers provided by Laravel. It depends how much sensitive is data on the server. – wujt May 23 '17 at 22:22

score 1 · Answer 2 · answered May 23 '17 at 18:58

You could use security based on IP address or something like that, but is the first time that I see something like your question, at any point of your app, if you want security, you need credentials, of course, you always can make other kind of auths, like enter the phone number or the email and I send you a token which you'll introduce in a further form, otherwise, I don't know what else to do in a situation like that.

How to secure API endpoints without user authentication

2 Answers2