0

I'm building the backend with laravel and then using Vue as front-end. Data is accessed over api calls using axios. Now I have this relatively simple task but I can't seem to find the proper solution. I want one of the routes to be easily consumable by Vue compoenents without the need to log in, however I don't want that route to be publicly available for anyone to use.

Things I have tried:

  • Using passport to protect my routes and then use passport's CreateFreshApiToken middleware. Protection works fine, unauthorized users are not able to access the routes, however I don't get laravel_token in my cookies and therefore I can't get access to that route if I'm not logged in.
  • Use passport's client credentials grant access. Works fine and the way I want it to work but doesn't really make sense because if I hardcode the client_secret - anyone can access it and then use it to access protected routes. If I make a proxy-like solution, to call a controller method, which would issue a valid token and thus not exposing client_secret to front-end but then anyone could just call that route which issues the token and it would be pointless once again.
Matrix
  • 437
  • 5
  • 18
  • I don't understand the business logic behind this "I want one of the routes to be easily consumable by Vue compoenents without the need to log in, however I don't want that route to be publicly available for anyone to use." – Sachin Kumar Mar 03 '21 at 17:45
  • @SachinKumar Let's say an API is fetching weather data, I want to use this in my app but I don't want this API to be publicly accessible for anyone to just get the weather information. It should be accessible from my application but inaccessible from, let's say, Postman or something – Matrix Mar 03 '21 at 18:44
  • So then just whitelist your application domain into the allow headers in cors configuration. – Sachin Kumar Mar 04 '21 at 01:42
  • Is there no elegant way of doing this? – Matrix Mar 04 '21 at 09:54
  • As this is not related to the laravel or any framework-specific. It is a server-side configuration that can be possible with CORS. – Sachin Kumar Mar 04 '21 at 09:58
  • Found a more elegant solution, check my answer – Matrix Mar 04 '21 at 10:39

1 Answers1

1

Apparently the answer is pretty simple and I was overcomplicating things. I don't know if this is the right/elegant way to do this but basically. If you don't need your api to be accessible from other applications (which I didn't) we can just put routes in web.php instead of api.php. This will ensure that web middleware is used and so it will use the basic csrf token validation, which is totally sufficient for protection against outside requests. You can also leave the route in api.php and just use web middleware on that route. The outcome is exactly what I needed - application is getting data over a route without any need to login AND that route is not available over postman or anything else.

Matrix
  • 437
  • 5
  • 18
  • It will be better if you show the kernel.php, web.php and api.php. because if you use web middleware in the apis then you have to send csrf token like we did in ajax request from web interface. – Sachin Kumar Mar 04 '21 at 14:05
  • Yes, I faced the issue of csrf token. I keep getting "csrf token mismatch" (and in theory, it should be easily solvable https://stackoverflow.com/questions/32738763/laravel-csrf-token-mismatch-for-ajax-post-request but I couldn't manage to get it working) but that is only if I put the route in api and use the web middleware, if I put that route in web, it works fine. – Matrix Mar 04 '21 at 14:35
  • 1
    If the solution solve the issue then you should go with it. – Sachin Kumar Mar 04 '21 at 14:53