How to protect laravel api route from outside GET request

Question

I'm building the backend with laravel and then using Vue as front-end. Data is accessed over api calls using axios. Now I have this relatively simple task but I can't seem to find the proper solution. I want one of the routes to be easily consumable by Vue compoenents without the need to log in, however I don't want that route to be publicly available for anyone to use. I'm talking about the GET request and not the POST request with a CSRF token.

Let me add an example, here it is my route:

Route::get('MyFAQS',[\App\Http\Controllers\FaqController::class,'getQuestions']);

And the vue js:

        axios.get('api/MyFAQS').
        then(response => {
            this.FAQ = response.data;
            console.log(this.FAQ);
        })
        .catch(error=>{
            console.log("can not get FAQ: " + error)
        })

In this situation anyone can do also a GET request to https://mywebsite.com/api/MyFAQS and use my data on his website, how can I protect it?

Does this answer your question? [How does Google Maps secure their API Key? How to make something similar?](https://stackoverflow.com/q/2256305/283366) — Phil, Dec 03 '21 at 00:08
@Phil not sure, i saw HTTP_REFERER, and i tried it and it works perfectly, but i think the referal it can be manipulated and sent back to my server — Buildermine, Dec 03 '21 at 00:29
Without any other form of authentication / authorisation, you're in the realms of _"best effort"_ — Phil, Dec 03 '21 at 00:32
JavaScript is client code. In the absence of authentication, there is no way to "protect" a resource while still allowing client access to it. — miken32, Dec 03 '21 at 00:40
The only way to get close to protecting a route without some sort of authentication is using request blocking from origins. You can setup your back-end code to deny all requests from origins outside your desired origins such as your front-end. This can easily be done in laravel with middleware. — jgetner, Dec 03 '21 at 00:47

score -1 · Answer 1 · answered Dec 03 '21 at 00:09

-1

API token are one of the ways to go. try https://laravel.com/docs/8.x/sanctum or https://laravel.com/docs/8.x/passport

answered Dec 03 '21 at 00:09

Soneye Oluwasina

45
6

1

"To protect routes so that all incoming requests must be authenticated". I don't need the user to be logged in! – Buildermine Dec 03 '21 at 00:19
Authentication with no User can be done with laravel passport client credentials grant – Soneye Oluwasina Dec 03 '21 at 00:33
1

@SoneyeOluwasina unfortunately it's impossible to protect client credentials in a SPA – Phil Dec 03 '21 at 00:38

How to protect laravel api route from outside GET request

1 Answers1