I have PHP application in Symfony 2.8 and its all REST API in ec2
Frontend is hosted in separate EC2. I am using ELB.
Now I want that only my reactjs front should be able to call API endpoint and if other try via curl or postman then it should not work.
Also I want to have some part like /public to open to public so that anyone can access that.
I am not sure if its possible to do at Symfony level or secuirty groups or NACL or ALB level.
Any ideas?
First of all you can just implement authentication and you reactjs app will only that can access this with the right credentials.
Or you can maybe verify the user-agent. You can create a specific user-agent for your react js app and check it in your endpoint.
Related
I'm a noob at REST API and anything concerning proper etiquette of frontend/backend communication so I apologize in advance if this is some very basic stuff.
I have a single-page React application that's hosted with Github Pages.
The backend with the rest API is hosted on Heroku.
As placeholders I'll refer to the main application URL as https://frontend.com
and the backend endpoint as https://backend.com
The REST API is configured at two endpoints https://backend.com/api/get and https://backend.com/api/post
I'm currently trying to make it so these endpoints can be accessed/fired from the frontend url so something like:
https://frontend.com/api/get
https://frontend.com/api/post
I'm struggling to make this work given the constraint of it being a single-page application, and anything attempt at trying to directly access any other endpoint but the index is met with an error 404: page not found.
Is this possible to accomplish with how things are set up currently?
I have a nextjs app that I'm using to process stripe payments that I've deployed to Vercel. The app is simply a form with tons of functionality built in but requires the use of an api (which is why I'm using nextjs). What is the best way to get this into a php site? I need to access the nextjs api in order to communicate with stripe. Otherwise I would have just built the react app in the php site and rendered it on the page in question per usual. I've never done this before, so please any recommendations would be huge.
Here are the options I've come up with:
iframe. I've never been a huge fan of these, but figured this was an option. I can render my app via iframe on the php site.
use the vercel deployed nextjs app strictly for the api and build the react form into the php site. Then I would simply change the api requests to point to the vercel deployed nextjs app instead of a local api.
Are there better more efficient methods?
Try vercel-php, a PHP runtime for Vercel. Using the configuration described in the README, you can use a PHP repository as your backend and fetch data from there for your NextJS app.
Alternatively, you can use this directly in your NextJS repository and instead of having the api folder inside the pages directory, just have it as a top-level directory
I have created a public mobile app that use REST API (created with PHP Slim Framework).
I'd like to restrict public access to those API to only people that are using my app, in order to avoid people to getting the API url and pasting it into their browser to easily access my content, for example.
I have found some methods for authentication, but the problem is that my app is already public so if I set an authentication method on my server, then I have to edit my client app too, but people with old app versions could not access API so the app would be useless.
What is the best options I have in this case, to set restrictions to my API without editing the client app?
Thanks
You need something from your app that can be controllable from your api. Such as modal that shows a message that they need to download the new version to continue use.
The logic will be, when the Client app tries to access your Rest API server, check the version from the client app and reject it, then have a message to download latest app.
If you don't have this, the only way you can do is notify your users about the critical update in your application.
I have an app that uses ember-simple-auth for Google authentication. All requests to my PHP backend are authorized with a Google access token, which the backend checks with Google before doing anything else. I understand ember-simple-auth has a testing package, but how would I go about testing this app?
The backend is a part of the app's repository, under app/api/.
An approach would be to customise the PHP code depending on the environment (importing config/environment.js), but it's on the backend and it's written in PHP.
You don't want your ember cli tests to depend on the backend so you can simply use ember-simple-auth-testing which will give you a readily authenticated session without interacting with the server at all.
I'm trying to implement Google Drive API. They have quick start example here which is using Google OAuth 2.0. Using for a web application where user will use drive api for creating folder and save files, edit files etc.
Now the problem is OAuth 2.0 is redirecting the page and for authCode and then back to callbackUrl again ie. the usual way. Is there any way so that I can get the authCode without redirecting the url, by using cURL or some library that can do that without redirecting.
I'm using PHP for this app.
We currently offer an alternative flow for installed apps that doesn't redirect back to an app but outputs the exchange code. In order to be sure that user is explicitly giving permissions to your application, we need to intercept the flow for a user action.
If there are no end users involved in your use case, you may like to take a look at the service accounts: https://developers.google.com/accounts/docs/OAuth2ServiceAccount Service accounts also provide impersonation for Google Apps domains.