1 year ago

do I still need CORS when using the CreateFreshApiToken middleware?

Posted 1 year ago by p0t4t0

I'm really new to the whole JWT authentication thing and from what I understand so far from researching is that in order for me to be able to secure my API from external requests (requests made from other servers/domains), I would have to make use of CORS (this package specifically https://github.com/barryvdh/laravel-cors) and set 'allowedOrigins' => ['*'] to 'allowedOrigins' => ['mydomain'] in order to tell it to only accept requests coming from my web app. But since reading the laravel docs on the CreateFreshApiToken middleware over and over again, I have realized that I may not need CORS after all since this middleware, as stated in the docs, passes the csrf token I have in a meta tag with each request which my app uses to validate them. If anyone could shed some light on me whether or not I understand these concepts correctly, I would really appreciate it. Thanks in advanced.

PS what I am basically trying to do is just disallowing all incoming requests IF they are not made specifically from my app.

Please sign in or create an account to participate in this conversation.