Let public Vue SPA to store data on Laravel API (authenticated in some way)
Hi, I have a Laravel app that manages a school calendar, multiple manager users can add appointments to calendar.
When an appointment doesn't show up, we will be firing some automated email to the member for re-schedule a new appointment.
The email will contain a button for re-chedule, when clicked, members will be redirected to SPA made on Vue.
The SPA will have a form, and get the ID from the button link of the appointment. After user sets a new date, a POST request will be made to the API to store the information.
I will want to secure this in some way, the basic ideas that come to me are:
Securing the API: maybe some sort of authentication between the SPA and the API or maybe the API will only let this SPA's domain to call an API route (some sort of whitelist domain to call API route)
At first I was thinking on using Laravel Passport but I couldn't find a use case that fits.
Securing the SPA: only members that are sent the email will have access to the SPA
I’m thinking you could generate a long, random string when you send the email. Store this in a table that will contain appointment ids and the random strings. The link in the email will include the random string, and when the server receives the request to set up the new appointment, you would only allow it if the string is in that table and matches the original appointment. So basically you’re saying “if you know the secret for appointment X, I will allow you to schedule a new time for it”. Don’t include any personal info in the email or the form, and I think you’d have a good enough “security through obscurity” system.
