How to secure register endpoint api for first party mobile app ?

Published 2 months ago by bunnypro

As far as i know, OAuth 2 requires user credential for authentication. But here we don't have any user credential yet.

anyone knows how to secure it ?

cobonto

If you don't have user credential. So you work with sample data?

I think you should explain more about your api

But when i have this problem to prevent others use api except our applications

in android or ios i create something like

secure-api and create SecureApi middleware

So other people cant access to api anymore

Hope this answer solve your problem

bunnypro

i mean, when registering a user, the user is not registered yet, so it can't generate oauth access_token then it can't use oauth for securing the api.

what do you mean with secure-api ? is that like a access-token ?

cobonto

If i guess what you mean i explain it for you.

  1. api like website is public and everyone can access it .But if you want to your android or ios app just use it and public access is restricted you put SECURE_KEY=yourkey in .env and add in your config/app.php or config/api.php whatever you like and in your ios or android app with every request send SECURE_KEY value to the api and create middleware like SecureApi.php in handle
    class SecureApi
{
    public function handle(Request $request, \Closure $next){
        return $next($request);
          if($request->header('secure-key') !=config('api.secure_key')){
           throw  new BadRequestHttpException('bad_http_exceptions');
       }
       return $next($request);
    }
}

with this code in your middlleware if someone dont have secure api can not access to api for log in user you have this and auth access token Hope its help

bunnypro

i have done it before, but its marked as not-secure method by our security tester. They claim they can get the KEY and request with it, since it's just sent through GET request or HEADER.

I think about public and private key like ssh, but i don't know how to implement it.

Please sign in or create an account to participate in this conversation.