2
Before, I’d like to contextualize my scenario:
I am a student in the field who has huge passion for mobile development and recently I have seen the need to create my own API’s to enable conversation between the app and my database (a.k.a. authentication and user creation, feedback, removal, insertion and update of information). I started researching and found some good frameworks, like Laravel, Lumen, Slim, others... And more a lot of excellent lectures on scalability and restful concepts.
But a question has always been in my head, and it is related to the correct way to use tokens in my case. If the community can help me, I’d be super grateful.
- Should the user token be updated each time he accesses the API? If so, what is the question that implies the obligation of this function?
- When receiving a request from the user on a route (e.g. api.awesome.com/user/12) that will return a list of this information and I want to ensure that it has access ONLY his list, I’d better search the database through the user ID, or through the token passed in header? Or both? What if the answer is "through the token, "as would the Restful question? How could I pass api.awesome.com/user/TOKEN_DO_USUARIO? There would be no problems because it is too big a url to be trafficked?
Now about the data validation:
- It is recommended that I never trust the data sent by the user, isn’t it? So how should I validate this data in the API before entering it in the database? Check if it is in fact an email, a cell phone, zip code, etc. Regex Pattern? Is there any way less laborious in the Laravel? And somewhere
don’t ask me whereI read that Regex is not a safe way. Is that a fact? Why?
Little doubt about CORS (I confess that I did not research it, but taking advantage of this publication...)
- What’s wrong with using *? I know he will accept requests from any domain, but knowing that the ones who will send the requests will be my applications and that none of them have a domain name
and, as we know, I cannot rely on the user’s IP to work on CORS, what is the right alternative?
I apologize for the doubts, but I would love it if someone could clear up those questions for me.
From now on, thank you very much.
Hello, I suggest you make one tour to learn more about the site. Your question is very broad, it would be better to ask one question at a time rather than put several in one.
– gato
I think you have several doubts, not one. Pulverizing these questions increases the chances of getting meaningful answer, and also help those who answer and only have partial mastery of the subjects
– Jefferson Quesado
I appreciate the comment. As many questions as there are, I am sure that any experienced user in the field will be able to answer all of them, since the 4 questions refer to the same subject. Plus: Creating a post for each question would not mean an unnecessary Flood? Since all questions are answered with a few lines. So I thought it would be better to center them all.
– Y. Bein