1

I have

a Laravel app with the route

Route::put('/api/{deviceMac}/access/update','DeviceController@update');

Rule

If user A have deviceMac 000000000000, should only be making a PUT to 

http://www.app.com/api/000000000000/access/update
{deviceMac:000000000000, access: true}

If user B have deviceMac 111111111111, should only be making a PUT to 

http://www.app.com/api/111111111111/access/update
{deviceMac:111111111111, access: true}

User A should not be able hijacking the route update of other users

Hijacking

User A should have access to 000000000000 only.

Right now, User A can tweak the HTTP request and make a PUT as User B 

http://www.app.com/api/111111111111/access/update
{deviceMac:111111111111, access: false}

Questions

How do I prevent other users from hijacking the request payload as other users?

Should I adjust my middleware to take care of this issue?

halfer
  • 19,824
  • 17
  • 99
  • 186
code-8
  • 54,650
  • 106
  • 352
  • 604

1 Answers1

2

Have a token based system.

Have some sort of sign in or even something as simple as when a user opens your app you send a request to your server with the MAC address of the current user and generate a token (bin2hex(random_bytes(30)), note this will generate a 60 character token which may or may not seem excessive) which is assigned to this MAC address.

Then, you can create a custom middleware that checks if the MAC address being sent has a token AND that the token matches the MAC address it was assigned to at startup.

On sign out don't forget to invalidate the token and if you don't have a sign out, keep tokens alive on a time basis (actually, this step is advisable even if you have an explicit sign out button).

Finally, I would highly recommend that you update to the latest version of Laravel as you seem to be falling quite behind. The current version is 5.7 compared to your 5.1.

Script47
  • 14,230
  • 4
  • 45
  • 66