0

My backend and frontend are totally separated. One using Laravel 5.3 the other using VueJS 2.

My frontend doesn't need to authenticate users (public website). However my backend should be able to recognize that the API calls are being sent from my frontend and not some other client/frontend.

I know how to do this manually, but I would like to know if it's possible to do this out of the box with the Dingo package and also that the hostname or whatever way the API calls are being approved can't be spoofed by others?

Hossein J
  • 1,019
  • 1
  • 15
  • 32
  • maybe via middleware checking request path? – Bartu Oct 11 '16 at 23:20
  • Well you can't trust a `referer` header so sounds like adding some type of key to the request is needed. – lagbox Oct 11 '16 at 23:39
  • @lagbox the key in the request will be easily seen by the user since everything is done through APIs. – Hossein J Oct 12 '16 at 08:44
  • is the request path totally spoof proof? @Bartu – Hossein J Oct 12 '16 at 08:44
  • You said you know how to do this manually, can you explain how you would do it? – Psi Oct 12 '16 at 09:14
  • I was thinking about both verifying the header referrer and the origin hostname. I could also implement an encrypted token that my frontend could generate and my backend would recognize. This token would change on every request with a sort of timestamp encrypted within to set a time limit. But I would rather go for a method that is already implemented in Dingo or Laravel or even VueJS. @Psi – Hossein J Oct 12 '16 at 09:28

1 Answers1

0

You can add a custom element, like the csrf_field(), to all of your forms. If you have that element...then it's coming from you.

edit: Or json web tokens, but that's a bit more work.

diabetesjones
  • 838
  • 1
  • 7
  • 17
  • You have to know that my frontend is totally separated from the backend and depends only on APIs. so if I would to acquire a token of any sort, the request could be seen by the client simply in the console. – Hossein J Oct 12 '16 at 08:43