Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
G
G
Greg Popov2019-11-08 12:08:13
API
Greg Popov, 2019-11-08 12:08:13

How to close access to the API and let it only from the application?

So: there is an application, everything is closed by normal authorization, web:authmiddleware, the user is logged in, doing something to himself.
There is a list data view that needs to be built on Vue, for the convenience of sorting, filtering, etc.
How to authorize a Vue request in api without issuing additional JWT tokens to a regular session, without piling up bicycles and keeping the process transparent.
API and application - one app on Laravel. web:authmiddleware doesn't work for api section.

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

4 answer(s)
Report
A
Alexander Aksentiev, 2019-11-08
@Gregpopov

Just make a route in web.php and call it with ajax as usual. Well csrf the current should be transferred all the same.
The session will be pulled up as usual when other "server" routes are running.

Report
N
Nikita Trofimov, 2019-11-08
@trofProg

If I understand correctly, then perhaps cors? That is, if you only need to allow access to api from one place, for example, by host or port

Report
A
Anton Anton, 2019-11-08
@Fragster

It may help to add the middleware necessary for the sessions to the api route group in kernel.php. Well, in auth.php , of course, change the guard to session.

Report
I
Igor, 2019-11-08
@IgorPI

What hinders the use of a single authorization server?
For example, I implemented it in the following way.
Here is my stack.
Nuxt
Symfony
I want to get categories
Route /categories.get is protected.

var request = require("request");

var options = { method: 'GET',
  url: 'http://127.0.0.160:8091/categories.get',
  qs: { lvl: '0', offset: '0', count: '100' },
  headers: 
   {
     'Authorization': 'Bearer eyJhbGciOiJIUzUxMiJ9.eyJpYXQiOjE1NzMyMTE3NzAsIm5iZiI6MTU3MzIxMTc3MCwiZXhwIjoxNTczMjE1MzcwLCJ1c2VyX2VtYWlsIjoiYWRtaW5AbWFpbC5jb20ifQ.0-VX8Pbv9l-ELXOoPV_6DTP1166X5DUvHZobXHh5xed2FRbNbbGMFrrai7khnApfywQeZjzasrqVwmcgrDq4kg',
     'cache-control': 'no-cache' 
   } };

request(options, function (error, response, body) {
  if (error) throw new Error(error);

  console.log(body);
});

Outcome.
API and Nuxt are protected by the same token.
How is routing secured in Nuxt?
import {ACCESS_TOKEN} from "../store/mutation-types"


export default async function ({store, redirect, $axios}) {
  
  const token = store.getters[ACCESS_TOKEN]
  console.log(token)
  if (!token) {
    return redirect("/login")
  }
  
  await $axios.$post(`${process.env.api}/security.checkAccessToken`, {token})
    .then(({code}) => {
      if (code === 0) {
        console.info("Token verified!")
        return redirect()
      }
      console.info("Token not verified!")
      return redirect("/login")
    }).catch((e) => {
      console.info(e)
      return redirect("/login")
    })
}

My answer:
Unified authorization server.

Similar questions
R
Rinat Bakiev2014-11-10 12:38:24
Does the alibaba API have the following capability? 0Reply
I
InoY2014-11-11 17:43:31
How to search tagged posts on Facebook? 1Reply
I
Irina2019-04-06 21:15:11
How to get multiple translation options via the Yandex.Translate API? 2Reply
A
Arthaus252020-12-20 16:25:13
How to write exception handling for VK API Error 18 "User was deleted or banned" error? 1Reply
P
Perkovec2014-11-15 08:10:06
Using PasteBin API in Javascript? 1Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question