2

I have a Laravel web application for a restaurant with its own user base. I have another web application for a bookstore with its own different user base.

I would like to create a third application (mostly API, probably using Lumen) that can create accounting records from both the restaurant and the bookstore on every transaction that is made (i.e. when I sell any food, make a POST request to this API to insert a record, and do the same if I sell a book).

How can I guarantee that only authorized users from my web apps (any user) can make requests to my API, without asking them for any additional password?

Jk33
  • 855
  • 3
  • 12
  • 28
  • 1
    When I had a similar issue I created a path on each application at e.g. `api/token` that was open to CORS from the 3rd site and granted that site with a token which could be used to access the other site's API . I didn't do anything as sophisticated as JWT or OAuth but those are also options to consider. You just need a mechanism to get a token from either site and then have either site verify who the user is, based on the token. – apokryfos Apr 25 '18 at 19:00

2 Answers2

4

This is a typical use case for the client credentials grant tokens oauth flow.

From the laravel passport documentation:

The client credentials grant is suitable for machine-to-machine authentication. For example, you might use this grant in a scheduled job which is performing maintenance tasks over an API. 

Brian Lee
  • 17,904
  • 3
  • 41
  • 52
  • As I understood the question, the poster already has separate databases of users for each application. Wouldn't an oauth solution require these users to be in one database where credentials are checked before issuing tokens? – Mkk Apr 25 '18 at 19:00
  • I don't think user authentication is necessary in this situation since the post will happen automatically. Just needs each system to authenticate to the central accounting system. – Brian Lee Apr 25 '18 at 19:09
  • Right, depends on the exact requirement I guess. The poster writes the following: _only authorized users from my web apps (any user) can make requests to my API_ – Mkk Apr 25 '18 at 19:19
  • Correct, the users databases are separate. And yes the POSTs would be automatic so I don’t really care what specific user did it (I could always record the user ID), as long as it was a logged in user from any of my apps. I’ll take a look at this flow, thanks both. – Jk33 Apr 25 '18 at 19:28
  • 1
    Good luck! In that case the simplest solution is to add an api-key which is shared by your applications in the header and create a middleware that checks for these. An added security can be to only allow whitelisted IP's to call your api. – Mkk Apr 25 '18 at 19:40
2

You can create an api-key for each user that has to be present in the post request's header. There should be a table in the API that has these keys stored with the corresponding user_id.

As such you can identify each user based on the given api-key.

Mkk
  • 433
  • 3
  • 8