Cerbix

So I searched around and couldn't find any questions/answers that fit my specific use case.

I have a resource controller, we'll call it SettingsController. This controller is designed to allow a client to go into our dashboard and adjust all their settings with the "Store" and "Edit" Function inside the controller.

Then it is output as an json API resource collection through the "Show" Function.

I installed Laravel Passport, and put the auth api middleware into the SettingsController.

$this->middleware('auth:api', ['only' => ['show']]);

Now the client would generate an access token in our dashboard, and put it into our remote app installed on their website. Then that remote app would be able to make calls to the Settings API to get the needed information for that clients setup.

This works all fine and dandy with the exception of one issue. And that is that any client can use his access token to access any other clients settings/details. IE: Client #1 can view Client #2, #3, #4, (and so on) settings/details using their own access token. (and vice versa)

All they have to do is change the URL link from /api/{client_id #1} to api/{client_id #2}, and their access token works for them all. As one could imagine, being able to see other peoples details, could lead to leaks of said details.

So my question is, is it possible to limit a Clients Access Token to only view content that belongs to the same user_id as the access token creator? Making it so if Client #2 tries to access Client #1's Settings with their own access token, they would get an unauthorized response.

I was thinking maybe this could be done using a scope, but not sure.

Thanks for your help.

After doing more research on the forums, I didn't find exactly what I needed. But I think I came up with a reasonable way to get around this without being too much work, or posing much of a security risk.

So I just created a new middleware.

MaxAdmins.php middleware:

    public function handle($request, Closure $next)
    {
        $users = User::count();

        if ($users > 0){

            return redirect('/')->with('alert', 'Maximum quantity of Admins already registered!');
            
        }


        return $next($request);
    }

Assigned it. Kernel.php

    protected $routeMiddleware = [
        'maxadmin' => \App\Http\Middleware\MaxAdmins::class,
    ];

Then in the routes file, I extracted out the POST request for register and attached that newly created middleware.

web.php file:

Auth::routes();
Route::post('register', 'Auth\[email protected]')->middleware('maxadmin');

Now they can still view the registration form, but when they try to submit the form it will pass through the middleware, if the current users exceeds 0, it will fail and redirect the users back to the home page with an error saying the maximum amount of admins has already been achieved.

Since it instantly redirects away from the register POST before it accesses the controller and enters details into the database, I can't see any reason why this would potentially cause any security risks?

I may also add an environmental variable that allows them to increase the number of admins that can register as well.

I thought about seeding it automatically during deployment. But the issues I foresaw was:

#1: This is an open source project, so I can't predict any aspect of a users desired login/email.

#2: Being open source if they don't change away from the default login details, it's open potentially from any attacker that finds the source and therefore the defaults.

#3: Having the most novice of users find and fill in their desired details into a seeder on a command line isn't very intuitive, and would require more work on educating them how to do it in the long run.

So I'm working on a small project for a dashboard that connects to a users personal site via a plugin, it just collects some details, and saves it all in the dashboard for that admin to view later.

Now for this I need just a single user registration. (Only the 1 admin, nobody else will ever register/login.)

I found I could easily use the built in Laravel Auth package for this. And then once the admin registers, just use this inside the web.php file:

Auth::routes(['register' => false]);

And that would disable all registration forms for anyone else that tries accessing the site later. But making the admin go into the files and change that value from "true" to "false" after he creates his account can cause unnecessary complication, and if they forget to do it, it could easily allow other users to register and view these collected details. (which the admin would not want.)

So I was trying to think of a way to make it automatically disable registration after one user makes an account. Something like this:

if ($users >= 1) {
Auth::routes(['register' => false]);
} else {
Auth::routes(['register' => true]);
}

But would it be okay to pull the users model into the web.php, and use it to count the amount of users in the database to accomplish this 1 admin registration max rule?

Or would this be considered very messy? And there's a better alternative one could suggest?

Thanks for your time.