2

I am developing a website fronted in angular2 and an api in laravel with dingo. Now I want to get the data from this api in angular 2. But of course I want to protect the api so that for now only my angular frontend is allowed to get a response from the api.

I searched a lot but can not figure out the best way. Most results in searching use jwt or auth, but with an angular2 application where user have to login. In my case no login is required to go to pages with data from the api.

I would appreciate any suggestions or links to interesting tutorials or other questions on this topic.

Florian F
  • 8,822
  • 4
  • 37
  • 50
maesk
  • 233
  • 1
  • 4
  • 11

1 Answers1

2

If I've understood what you want to achieve, you should just implement a Cross Origin Resource Sharing middleware in Laravel. You can even use the Barryvdh's Laravel CORS package for a quicker approach. JWT is useless in your case as it's just a token auth system that provides your ReST API the capability to authorise users to perform an action that requires an authentication.

Useful links: Implementing secure CORS APIs

Andrea Alhena
  • 986
  • 6
  • 9
  • Seems like i was search for the wrong thing. But wat if i would like to have a public for all my visitors with uses a part of my api and a private admin part which uses an other part of my api. I am not sure if this can be handeld with cors. I would need some login functionality for the admin part right? – maesk Jan 24 '17 at 08:56
  • In your case you should use both the CORS and the JWT middlewares. While the CORS middleware will be in charge to work on the entire set of API's endpoints, the JWT middleware will be used only on the endpoints that requires an authentication. In easier words, the authentication-required endpoints will send data only if a valid token is provided (you can obtain a token providing a valid username-password pair to the login method). All the other endpoints will send data even if the user is not logged in (if the CORS middleware authorise the request, obviously). – Andrea Alhena Jan 25 '17 at 10:29
  • An other question: if at some point i would like to make my api (only read methods) available to other client applications, would that be possible or should i start from scratch again with a different approach? – maesk Jan 27 '17 at 13:05