Level 73
You can use Passport or Sanctum to help with that
Feb 3, 2022
5
Level 1
Securing a laravel API
I have a API in laravel which will be accessed by android app, but the thing is a hacker accidentally knew the api url and parameters and called it and used from web. So need to secure it. I already added a bearer token in authorization header in the request header when called from android app & in the API i match the token. But what if hacker knows the token too then he can make request from anywhere. I read many thing by googling, i also know laravel passport but all ultimately has same thing the encrypted token to be passed when making api call. Literally what more can i do so that hacker can't use the API and i know the API request came exactly from android app??
Level 1
@Tray2 passport is huge and not needed for my api because there are no authorization required for server resource consuming. As i said these are ultimately goes to adding a encrypted token with the request. what if token is known by hacker?. Furthermore, how do i know the request came from our android apps only
Level 73
@enthusiast14 Then use Sanctum
Laravel Sanctum provides a featherweight authentication system for SPAs (single page applications), mobile applications, and simple, token based APIs. Sanctum allows each user of your application to generate multiple API tokens for their account. These tokens may be granted abilities / scopes which specify which actions the tokens are allowed to perform.
Level 13
That is not really possible. You cannot detect, if the request comes from your android app. The App is Client Side, so every token, http header, whatever can be read. You can make it harder to fake it, but not impossible.
If you dont have any authentication (User login etc.) this is like a public api and everyone can access it. Then you should throttle it, so that no one can send to much fake requests.
Or you can implement a user system. Then a user can only use the API for himself, then it shouldn't matter if it comes from an android app or something else, the server must always validate the request if the user is allowed to do that.
1 like
Level 1
@Funfare Can we say for example: Android send a special Header to detect it ?
I know it's not that secure, but a simple layer.
Please or to participate in this conversation.