How can i make post request from another server to my laravel server?
I have a website from another provider (lets say domainA.com) , they have CMS system, so I can make my custom pages - the question is, I want to make a form in domainA.com, and post it to domainB.com (my original Server), how can I make it in laravel? As far as I understand I should use api route file for this, is it secure to make such a POST request? because as far as I understand there is no token protection on api requests right?
sorry for my english - i am most interested in security side of such a action - if you show me an example, it would be appreciated.
Laravel 5.4 has 2 route groups: web and api
the web group is used for all requests that come from the current laravel application. Laravel uses a csrf token with every request to make sure every request is coming from the own page to prevent cross site scripting.
the api group is for requests that a fired from an external server. For this group the csrf protection is disabled.
Remember: csrf protection ONLY checks if the requests is from your site, it does not handle the authentication or authorization.
To secure your API you can use json web tokens (jwt). There is a package that will handle the authentication parts for APIs.
If you want to keep it really simple you can write a middleware for all api calls, that is checking if the requests has a special value (your personal token) to give access to the api.
It's possible to accept post request to a Laravel Route and you can define route any of web.php or api.php route file but below are the differences.
web.php
Routes in Web.php will prevent the form without CSRF Token.
to avoid that you can add the route in VerifyCsrfToken.php file in except Array.
api.php
Routes will work directly but the api URL will be Example.com/api/<route>.
But for security you can share an Access Token for the routes and in the controller you can verify the requests with the access token and allow post.
You are right is not sure about this communication.
What you can do is a chain token code
Start with a code and every time you contact the server b it will give you a new code that you will need to use for the next message.
I know it's not as beautiful as a solution but I do not think of anything else.
You could implement your api framework but you would spend a lot of time
Related
All my database related files are in config folder (fetch, post, update, delete). and I'm using ajax on the client side to use that data. my question is how can I secure my API files. I've studded about JWT and I think it is only for user login and signup. I want that when someone opens my api url like: 'http://localhost/config/getPosts.php' they should be authenticated before they can see the posts. I've also used basic auth but it is not secure according to my research.
What you want to do is to create a way to check if the user is currently logged in with JWT (Usually done with a middleware) and if not return a 401 error. Then assign the middleware to those routes so you protect those routes with the JWT check.
Currently I am trying to build a website with slim as backend and angularJS as fronend. Therefore I took a look at several tutorials and demo projects. This was the most interesting one: https://github.com/alexdebril/slim-angular
Out of the box I have a problem with the CSRF implementation. In this project the CSRF protection is implemented in the middleware, in order to apply on every connection. Good or not is irrelevant.
But when I install all the dependencies with composer and npm, the project is not working well because every server connection gets a new CSRF token that will be stored in the PHP Session.
So on the main page of this project there is a angular form that will send a string secured with the csrf token to the server. The server then only replies with thw same string and the angular controller prints it out. WHen I trigger the form submit the first time, everything will be fine, but on the second submit, the server will respond with a error 400 because he has a new csrf token that angular does not have yet.
But the creator of this example project could not have made such an error, could he? Why does my apache creates a new csrf token for each connection with the same user? and how can I solve this problem?
My dependencies:
slim\slim v3.8.1
slim\csrf v0.7.0
angular v1.6.4 (route, aria, material, ui-bootstrap, cookie, http-auth-interceptor)
So how can I have only one CSRF token for each user?
Or how do I have to update the tokenizer service in angular in order to use always the newest CSRF token? Or do I need a watcher? to detect this?
It would appear they're using slim-csrf, which fortunately has a setting to disable regenerating the CSRF token on every request. According to the GitHub readme:
By default, Slim\Csrf\Guard will generate a fresh name/value pair after each request. This is an important security measure for certain situations. However, in many cases this is unnecessary, and a single token throughout the user's session will suffice. By using per-session requests it becomes easier, for example, to process AJAX requests without having to retrieve a new CSRF token (by reloading the page or making a separate request) after each request.
So, in /php/middleware.php, just set the 6th parameter to true, and leave the rest as null. For a list of what the other 5 options do, you can just take a look at the source.
I removed Slim's own CSRF Package (slim/csrf) because there are several problems with this in addition to angular.
Instead I now use XSRF Tokens that will be transmitted in the header. Angular can handle this just fine and completely out of the box.
I drew up this flowchart to explain but its all over complicated.
I just cant wrap my head around how this will work.
Front end : Server 1 - Angular2
Back end : Server 2 - Laravel 5.3
At the moment the back end has an auth token enabled with the passport.
I can fetch and send any info where I enable the Middleware API.
But how do I set up a Middleware API for the front end of the website to access and
a different one for user profiles?
Or do I not require this? Do I just render all data requested from the site in JSON and
make the Angular2 front end render it. Then with the Authentication when a user logs in
send back a token instead of a session.
I would love if anyone knows of any tutorials of Laravel 5.3 back end with
Angular2 front end on another server.
Well, the correct workflow in you case would be:
A user logs in, you send a request to the laravel server requesting a token
This token is stored in the session and will be used for future requests.
Angular will render the responses based on the requests made.
So, you say:
But how do I set up a Middleware API for the front end of the website to access and a different one for user profiles?
Well, because they are on different server, the view on this case will be rendered just by angular, you should find a way to make permission so the UI will know what to dow. In this case, you can not put an auth middleware to "block" access to the view, because the view will be rendered by a different thing other than larave.
I am developing a web application in Laravel. Now I'm in the process of creating an android app. I need to create a web service (back end) in Laravel, but I don't know how to manage the sessions (auth) in the request.
My idea is to create a unique token for every session, and store it in a database. So, every request need the token be included, and my backend will check if the token is valid or not.
How can I modify the login functionality that comes with Laravel 5.0 to create an return the token?
I read the documentation and some articles in the internet, but it is still not clear to me.
You can create a token during registration of the app which should correspond with the user id. This token will be used together with the user id anytime you call any of your api's to authenticate the user.
You can create a filter named custom_authentication and check for the token validity inside that filter. Now just apply this filter before every routes, which you want to be authenticated.
Using only simple authentication token is not very secure, you need to go with HTTPS always.
If you want to make the API secure with HTTP, you might have to implement OAuth with the help of packages like this.
While building my SPA with angularJS, i came to the point where i want to implement user authentication in my angularJS website. However, i have no idea where to start and what the best practices are.
Basically i have a sure that can have one or more roles. I've looked for examples so i could get a basic understanding of how to handle this properly, but so far i've only came across examples that are very simple or are not so secure (like this).
So my question is, how to I implement a authentication service using REST (or custom API urls) to authenticate a user, and then display the user information on the page using angularJS, while also ensuring best security coverage by using (for example) the csrf token from Laravel?
Thanks in advance,
Nick van der Meij
I'm making an AngularJS app and an API RESTful made with Laravel 5 for the backend, and my approach for the authentication was:
Installed jwt-auth. Basically extends the Auth model of Laravel adding authorization with tokens.
Added simple role package to laravel. I used permiso. Has multiple roles/user and permissions/role. Very simple.
Added jStorage to frontend. (you can use AngularJS module instead).
So the steps are:
Frontend send user credentials (email and pass).
Server checks, jwt-auth makes a token to that user and send it backs.
Frontend save the token on the browser storage (no csrf needed with this approach).
All next calls to the API are made with Authorization: Bearer header (or with ?token=... )
I like the same approach that #neoroger takes using JSON Web Tokens with jwt-auth. I used the Satellizer package for storing the token on the front end and to send it along with each request to the API afterwards.
I put together a couple tutorials that show how to implement the two packages if you are interested:
https://scotch.io/tutorials/token-based-authentication-for-angularjs-and-laravel-apps
http://ryanchenkie.com/token-based-authentication-for-angularjs-and-laravel-apps/