Level 88
Most of the time you use an access token which can only be used for 1 hour for example, after that, your frontend should fetch a new token. So the basic term here is a shorted lived token for authentication.
Apr 4, 2020
4
Level 1
How to safely update Users from api
I've been wondering what might be the best practice way to update users from the frontend. I have currently set up a react frontend and wanted to allow a user to update his profile on that page, but asynchronously. This includes their password. Since I don't want any other 3rd party api consumer to update a users password, I need a way to check whether the request is coming from my app or my website. Is there any way I can do this? I am also not sure about how secure it is to check whether the request comes from my client id, since that one could potentially be stolen from the source code, right?
Level 1
How does that solve the issue with other 3rd party applications? They essentially use the same api. So how does generating a new access token every hour help in that occasion? I still have the same client id, which means that anybody who gets a hand on that could potentially change a users password. Nor do I see how to distinguish between a first party application and a third party application. This might just be my stupidity, but you are not yet making sense to me. Sry :(
Level 88
I think I misread your question. To make sure that you only accept requests from your own frontend app you should set up your CORS-headers. They can help you prevent getting requests from other sources, other than your own site.
Laravel 7 has this by default: https://laravel.com/docs/7.x/routing#cors
You can configure your domain in config/cors.php. If you're not on Laravel 7 you can install this package: https://github.com/fruitcake/laravel-cors
Level 1
That is exactly what I needed. Thank's a lot!
Please or to participate in this conversation.