Protect API calls

Im fairly new to laravel and I'm hoping someone could push me in the right direction. I have a Javascript frontend, its views are not served by laravel but it makes calls to a laravel API. All i have for authentication is an external api where user login credentials are sent and if they are correct a username is returned.

If username is returned then a new user through model is created in laravel backend. At the moment there is nothing stoping from someone to say that the first authentication api returned a different username and submitting that to the laravel api. I Think that the first auth api should return some sort of random token that that will be saved to the laravel user so you cant just submit the user name that other people might know.

Should i use laravel passport for this?

Tippin

5 years ago

Level 13

Sanctum or passport would both be a good fit. If you do not need to worry about authenticating 3rd parties, then use sanctum. I am not sure I understand what you are currently doing, but it sounds all types of wrong.

https://laravel.com/docs/8.x/sanctum

https://laravel.com/docs/8.x/passport

martinbean

5 years ago

Level 80

@sentiemce Yes, you should be using some form of token-based authentication instead of just returning a username. As you’ve identified, if someone is able to get the username of a valid user then they’re going to be able to make API requests, which isn’t secure at all.

Passport is an OAuth server implementation so will add OAuth-based authentication to your application. Sanctum is a simpler solution for adding API token-based authentication to your applications.

Please or to participate in this conversation.