Validation for requests from outside the Laravel application.

Hi guys, I have a control for my API as follows. But I want to enable this only for external requests. So I don't want this to work for requests from the script itself. How can I do it?

$apiKey = $request->header('X-Api-Key');

if (!$apiKey) {
   return response(Response::notAcceptable(__('app.apiKeyNotFound')), 406);
}

if ($apiKey !== config('app.key')) {
   return response(Response::notAcceptable(__('app.apiKeyDidNotMatch')), 406);
 }

rodrigo.pedra

4 years ago

Level 56

Try this:

if (Str::startsWith(url()->previous(), url('/')) {
  // return unauthorized response
}

1 like

rodrigo.pedra

4 years ago

Level 56

One observation: it will only work properly if the requests have a Referer header with the external domain

aschmelyun

4 years ago

Level 4

@beycandeveloper Could add something like this to your above code:

$requestDomain = parse_url($request->root())['host']; 

if ($requestDomain === env('APP_URL')) {
    return response(...); // return a response early if the request came from inside the Laravel app
}

1 like

MichalOravec

4 years ago

Level 75

@aschmelyun env helper outside of config files?

rodrigo.pedra

4 years ago

Level 56

Hey @aschmelyun , nice to see you around.

The image uploading series is top notch and helped as I was just in need to implement multiple async uploads.

Some remarks:

1.

$request->root() will return the current't request URL, which will always match the URL in APP_URL.

OP wanted to check if the client consuming the endpoint is an external one, that is why I suggested him to check the Referer header, which is not always reliable, but is the best bet one could make with default setup. The downside is that any external clients that are not a browser might not include the Referer header.

One other option would be to check for a header he is always sure he would manually add on the scripts from his own applications to be absent. But that could also be faked once an external agent knows about it.

2.

As @michaloravec pointed out, the env(...) helper should only be used inside configuration files.

As per Laravel docs:

If you execute the config:cache command during your deployment process, you should be sure that you are only calling the env function from within your configuration files. Once the configuration has been cached, the .env file will not be loaded and all calls to the env function for .env variables will return null.

Reference: https://laravel.com/docs/8.x/deployment#optimizing-configuration-loading

And as, in the same link above, it is recommend to cache configuration in production, due to performance issues, it is not advised to use the env() helper outside of config files.