is the API accessed directly by the user? i.e i can go: http://api/users/1/albums?
if so then you need some sort of logging mechanism on the api. so I send username/password on each request which your API checks (or could be a basic Auth, or a hash-type string that the api gives after you first login to it)..
@shez1983 I use JWT. The authentication is not the problem.
I mean, if a user can go to users/1/albums (because it is authenticated), he can go to users/2/albums, but I have to protect that.
One thing is to set the endpoint to api/users/authenticated/albums, but that's not the main question.
if the user is authenticated, then why dont you check if he goes to users/2/albums that the id 2 is his id?
surely when someone auths into your site/api, you store their ID which is used to get the albums ie users/2/albums..
personally if would just do users/albums as you already should know their id!
@shez1983 That's what I'm doing. (users/authenticated/albums instead of users/albums), but the question is:
What would yo dou, a middleware or a formrequest to protect that api endpoints?
I would use a middleware that is the better place where to do such kind of things. FormRequest would be used for form validation instead.
Sign in to participate in this thread!
The Laravel portal for problem solving, knowledge sharing and community building.
The community