im developging a API to be consumed by a mobile app, but i have some questions regarding security.
The mobile app is a job portal where candidates can login and register and then manage there information.
So Basically in my api.php routes folder i will have all the routes related with the user, that is add, delete, edit his information, jobs, etc.
But then I will have other routes related with the system for say, like listing the news, blog...These routes cannot be permit to request by the users, since is a system/app routes.
But in general all the routes cannot be available to the public, only the application can use this routes.
Most of the routes i see in the API are like:
Route::get('latest-news', 'SiteController@news');
Route::post('login', 'PassportController@login');
Route::post('register', 'PassportController@register');
Route::middleware('auth:api')->group(function () {
//USERS
Route::get('users', 'UserController@index');
//Route::get('users/{id}', 'UserController@show');
Route::post('users', 'UserController@store');
Route::put('users/{user}', 'UserController@update');
Route::delete('users/{id}', 'UserController@destroy');
Route::any('errors', 'UserController@errors');
});
The login, register and latest news are available to the public, any person could access it, and i could resolve the issue putting the routes inside the 'auth:api' midleware, but then i had also the problem that the users can access these routes.
So the problema im struggling is that wich grantypes i use? Client? Password? Both? How do i handle this type of situations?
from Newest questions tagged laravel-5 - Stack Overflow http://bit.ly/2Ad3wA3
via IFTTT
Aucun commentaire:
Enregistrer un commentaire