Can i Make this API more secure ?

Posted 2 months ago by moukbel

Hi,

1 - the User will Fill the forms to buy Something . 2 - encode the form data and send it to API. 3- API will check/release the product .

form:

<form method="POST" action="https://..API" @submit="encodeForm"  >  
<input type="hidden" name="QUANTITY" :value="q">
<input type="hidden" name="CURRENCY" :value="currency">  
<input type="hidden" name="EMAIL" :value="match">  

<input type="hidden" name="m_sign" :value="m_sign">  
...
..
<button type=submit> buy </submit>
</form>

Vue method

encodeForm(){

event.preventDefault(); 
axios.get('/encode', {
     params: {
        currency: usd,
        quantity:2,
    id:1
    ..
    .
     }
     .then(function (response) {
    this.m_sign= response.data;
    e.target.submit();  
}

}

encode.php

encode(Request $request){
$secret='123';
 $arHash = array(
                $id,
                $currency,
                $quantity,
                $m_curr,
                $m_desc
             );

    $m_key = md5($secret);

            $arHash[] = $m_key;
             
             $sign = strtoupper(hash('sha256', implode(':', $arHash)));

             return     $sign ;
}

API.php:

class API extends Controller
{
     
    public function API (Request $request){

    $secret='123';

     // Rejecting queries from IP addresses not belonging to orgingal website
       if (!in_array($_SERVER['REMOTE_ADDR'], array('123.123.12.1'))) return;


    // HMAC Signature check at this point using $secret key
    arHash = array(
        $_POST['1'],
        $_POST[2'],
    ...
    )
    $arHash[] = $secret;
    $sign_hash = strtoupper(hash('sha256', implode(':', $arHash)));
     if ($_POST['m_sign'] == $sign_hash)
        {

    }

    // Check the original price/currency to make sure the buyer didn't change it. 

    //release the product

}
}


shoud i use laravel passport for this

Please sign in or create an account to participate in this conversation.