REST API auth with different roles and permissions
I just started learning how to build REST APIs in Laravel 9, but there is one thing i can't grab my head around and that is how to create different roles and permissions for differnt users. I have found a ton of different tutorials but all of them include some kind of ui, my intention is to use the API externally to a Vue website. The plan is to have 3 differnt roles, which are member, writer and admin.
I have one solution but it's not that pretty, that is just to create a column in the users table with an integer which i then give diffent roles to using sanctum token abilities.
@harleyberglund Your roles should be held server-side, rather than trusting what a user submits in a token. Otherwise this could be susceptible to privilege escalation (i.e. lowly user generates a token with an ability they shouldn’t have, like admin. Your app shouldn’t go, “you say you’re an admin? OK, I’ll let you do admin-related things, no problem.)
Once you have your roles server-side, you can then use policies and other authorisation methods to determine what a user can and cannot do. If a user tries to make a request that a policy check says they shouldn’t be able to, then Laravel will return a 403 Forbidden response.
@martinbean I found this video, is that a secure way of doing the check? Or do you have a better instruction on how to do it?
I forgot to mention in the first post: Only admins will be able to create members and writers, since this API is for a sportsclub and the memberships will be stored in the DB.
