Level 88
I think this is a fair approach. Using a token has the same dangers right? You can just copy the token from the javascript on the page and use that on another website.
Feb 3, 2020
3
Level 4
authenticate api call from specific domain
Similar to the MaxMind JavaScript Client API, I would like to create a client for my own API service.
What I like about the MaxMind JavaScript Client is the fact that it has a simple domain authentication. I create a MaxMind account and register the domain which is allowed to access the API. In a second step I simply install the JavaScript client on my website and voilà, it works. No API token necessary. Their API service simply checks if a request comes from a registered domain.
While I believe this is simple to implement in Laravel (simply check the domain of a request and cache the IP), I'm not sure if this is 100% save. What are your thoughts?
Level 4
Using a token is more dangerous I'd say, because it is super easy to copy it.
Verifying the domain server side is much more secure. In that case I wonder how Laravel gets the host from the Response to check if it is an allowed domain. The only thing I could think about working around this is to spoof the domain somehow on the client side. Basically the question is, is $request->->headers->get('origin') spoofable.
Level 4
This thread explains quite well, that the origin header is spoofable: https://stackoverflow.com/q/21058183/4688612
It is not spoofable through a regular browser, since they don't let you set that header field. But any kind of http request implementation like cURL allows you to set headers. So, checking the header origin is not safe.
Please or to participate in this conversation.