Level 63
The only way I see is to ignore the routes and override them.
1 like
Aug 10, 2023
5
Level 1
Disabling or Restricting the JSON API Route for Creating a Client in Passport
Hello,
I'm looking to disable the routes that create, edit, and delete clients for Passport. If that's not possible, I'd like to restrict the app creation process. I believe the current unrestricted mode might not be suitable for my use case.
I've extended the ClientRepository class and created a dashboard to manage these client CRUD operations. However, the JSON API routes at oauth/clients are accessible to any logged-in user, and there's a chance that someone with a bit of expertise could send a request to this route, potentially bypassing my client creation rules.
I'm using Laravel 9. Thank you for your attention.
Level 1
Hello, thank you for the response,
My intention was just to block the routes that perform CRUD operations for clients. I overlooked this part in the documentation because all the routes are ignored.
I copied the routes from the git file and only ignored the CRUD routes. I have the desired outcome, but I'm not sure if it was the best approach. I'm afraid some route might change in the passport :/
1 like
Level 5
I would look into https://laravel.com/docs/9.x/authorization#gates or https://laravel.com/docs/9.x/authorization#writing-policies to limit what can be done based on your user Role. It's probably the fastest and safest way to do this.
Or in other words: You can't really disable the routes easily. You can do that with middleware to check if the authenticated user is allowed to do an action. But that is also better done with Gates/Policies
2 likes
Level 1
Hi, thank you for the response,
I've never used gates or policies before. I have a vague idea of how they work, but I've never actually used them. I even got curious to know if it would work, but I'm wondering how I can use them on things that come from the 'vendor' folder. In other words, I don't have a model or route from Passport to manipulate.
1 like
Level 63
@ModestasV To restrict yes, but to disabled no.
Please or to participate in this conversation.