I am experimenting with Laravel 5.6 to build an ecom store api. The front-end will be a separate angular application. I have most of it working but i want to understand how to guard my order recording endpoint so no one else except my angular application can create the orders. I have looked at the passport package but cannot see a solution which might help.
Asked
Active
Viewed 336 times
0
-
[CORS](https://spring.io/understanding/CORS) (I felt lucky!). Also read this https://stackoverflow.com/questions/39909419/jwt-vs-oauth-authentication – Kyslik May 07 '18 at 15:39
-
Salvation is in authenticating the user creating the order... the browser spa app will be pretty much impossible to secure... Token auth requires that the token remain a secret and not sniffed (thus tls...). In a commerce app, I would authenticate myself and then order/manage my orders... unless properly authenticated, one cannot enter an order... Auth forms should will have csrf tokens... Once a session is established, you can then trust the requests... – Serge May 07 '18 at 15:51
1 Answers
1
I'd recommend https://github.com/neomerx/cors-psr7 to handle the cross-domain requests. However, as headers can be easily faked, don't mistake this for solid security on its own. For that, I'd recommend guarding your endpoints with JWT tokens. I highly recommend https://github.com/tymondesigns/jwt-auth for simple authentication. You can think of it like a tool for managing stateless session tokens. A way to securely have a SPA communicate with your API. If you need more granular control of permissions, that's when you look to Laravel/Passport, or something else like https://github.com/spatie/laravel-permission.
kmuenkel
- 2,659
- 1
- 19
- 20