integration server

@aronaman having a shared access token is fine. I would pass it in in the headers rather than as part of the url though.

I'm using a static access_token for my api due to it only needing to be accessible by a vue front end. You would want to do something similar to my middleware to check it.

namespace App\Http\Middleware;

use Closure;

class VerifyAPIAccess
{
    /**
     * Handle an incoming request.
     *
     * @param \Illuminate\Http\Request $request
     * @param \Closure $next
     * @return mixed
     */
    public function handle($request, Closure $next)
    {
        if (
            !($_ENV['APP_ENV'] === 'local')
            && (
                !$request->header('access-token')
                || $request->header('access-token') !== env('APP_API_TOKEN')
            )
        ) {
            return response()->json(['Message' => 'You do not access to this api.'], 403);
        }

        return $next($request);
    }
}

and then add it to your group in your api.php

Route::group([
    'prefix' => 'v1',
    'as' => 'v1.',
    'middleware' => [
        VerifyAPIAccess::class
    ]
], function () {
 // protected api routes accessible by api/vi/yourRoute
});

if you are only accessing the Laravel app from your local desktop app, you could additional limit access based on IP address range.

@automica tnx for the response, but I am asking 2 questions can give me some suggestion, I am not focusing on the code right now, I am lost in the concept part.

is there any documentation for this kind of scenario

@aronaman for you questions.

1. I would say just using a unique access_token that you generate for each user is fine. Store it on the user table.

2. if you want to access both ways, then storing the tokens duplicated at either end is fine. as you are also in control of IP addresses at both ends, you can always limit access to the remote server from a known IP range as an additional security measure.

TBH it may be fine just to have a single shared token between your local and cloud applications. Its not like the client has access to the token or the request so whether its unique per user or 1 per app is fine.

@automica ok ..what about i use passport "personal access token", the problem I encounter is i don't know how to retrieve and save to desktop config file.

second expired token issue

@aronaman my understanding of the purpose of using a token is to deal with it rather like you'd use a ssh key to authenticate a user. in that case, you would need to worry about expiring it, as if its part of the request then let them in (like using a door key for your house).

if you are using a key per user, then you could also compare against their email address so only access_key and email gets you in for a user.

I don't think you would need to expire this access token, unless you want to prevent the user from no longer accessing your app (like handing your doorway in when you move house).

if you are also limiting with firewall rules, then you are even more secure.