Level 1
Create a middleware that verifies an API key
Jan 13, 2024
5
Level 1
API Authentication with no user
I am looking at building an API that will be accessed by multiple front ends. I have found this post here: https://laracasts.com/discuss/channels/laravel/api-authentication-with-no-user however it is a few years old so I wanted to check what would be the best approach.
I see that Laravel Sanctum is available however the examples given seem to require a user to be authenticated. My API will not have users but it needs to be locked down so that posts and requests can only be made from a sub-domain. Is this possible with Sanctum or is there a better solution?
The API is for a competition, so my front end will post a score to the API, it will then return data to say if the user has won or not. Its simple but I need to make sure it cant be hijacked.
Am i right in thinking that i can use Sanctum SPA Authentication without a user and get a authentication cookie for my later requests?
Any advice is greatly appreciated. Thanks in advance.
Level 80
The API is for a competition, so my front end will post a score to the API, it will then return data to say if THE USER has won or not.
@c-andrews You do have a user. So why are you trying to authenticate without a user when you do in fact have one?
Authenticate the user when making the API request to check if they’ve won or not.
Level 1
@martinbean the “user” doesn’t sign up and is not registered though so would it sill work?
Level 80
@c-andrews Then how do you “identify” a user to know whether they’ve won or not if you they don’t log in nor register?
Level 7
Looks like you just want to authenticate machine-to-machine conversation. Client credential is the way to go here. Easy implementation. https://laravel.com/docs/10.x/passport#client-credentials-grant-tokens
Please or to participate in this conversation.