Hi, I have a Laravel app that manages a school calendar, multiple manager users can add appointments to calendar.
When an appointment doesn't show up, we will be firing some automated email to the member for re-schedule a new appointment. The email will contain a button for re-chedule, when clicked, members will be redirected to SPA made on Vue.
The SPA will have a form, and get the ID from the button link of the appointment. After user sets a new date, a POST request will be made to the API to store the information.
I will want to secure this in some way, the basic ideas that come to me are:
Securing the API: maybe some sort of authentication between the SPA and the API or maybe the API will only let this SPA's domain to call an API route (some sort of whitelist domain to call API route) At first I was thinking on using Laravel Passport but I couldn't find a use case that fits.
Securing the SPA: only members that are sent the email will have access to the SPA
What will be your recommendations/ideas?