roemer
1 year ago

Security Concerns for REST Login

Posted 1 year ago by roemer

Hi,

I implemented a REST login system based on the default auth system (overwrote some of the functions in AuthenticatesUsers). This way, the consumer of my API can send usernames and passwords to /login and receive the user and an API token that can be used for new requests (this is why I'm not using Passport). I'm wondering if there are any security concerns that I have to look out for when doing this. I'm still throttling users since basically everything in AuthenticatesUsers still applies except for the authenticated function. I will be disabling CSRF validation for this endpoint as well, otherwise, it'll be hard to send requests to.

Thanks in advance.

P.S. I wrote this trait that I'm assigning to my User model instead of AuthenticatesUsers:

trait AuthenticatesUsersREST
{
    use AuthenticatesUsers {
        AuthenticatesUsers::authenticated as parentAuthenticated;
    }

    /**
     * Overwrites the authenticated method from AuthenticatesUsers and
     * returns the logged in users with it's API tokens.
     *
     * @param Request $request
     * @param $user
     * @return JsonResponse
     * @throws \Exception
     */
    public function authenticated(Request $request, $user)
    {
        $users = new UserRepository();
        return new JsonResponse($users->findWithRelations($user->id));
    }
}

Please sign in or create an account to participate in this conversation.