How can I ensure that my API will only be used for the features I want it to use?

Asked

Viewed 60 times

1

Hello, I have the following question.

I have an application that will be used by several companies, each company will have a number of employees (users only company) and I have common users (customers of companies). The relationship of the system is in a single structure of N:N and N:1. The main idea is that each company manipulates its own resources, individually without being able to change third-party companies. Users can use all the resources of the company (companies where it is related). My question would refer to the exposure of this API, as I can ensure that a malicious user with this exposed URI does not access, manipulate resources of other companies. I just want when he accesses company X, he can only use the endpoints of company X, in the same way the users (customers of companies) access company Y and only manipulate resources that are within company Y.

I saw that there is the Oauth2 authentication protocol, which protects our API, I should create an Oauth2 Client for each company checking if it is using only this company?

I’m a bit confused in the meantime. If you could understand what I said above, can you help me? hahaha

I’m using Laravel and Laravel Passport.

laravel api oauth2 oauth

2 answers

0

I believe that the best way for this is that any launch of for example: Customers / People / Companies / Products / Orders go the id of the company to which this user belongs. Then you create a check using Middleware that if the id does not hit you will be denied access.

  • Thanks man , maybe this will really help.

0

  • One more article on the subject https://laravel-news.com/tenancy

Browser other questions tagged laravel api oauth2 oauth

You are not signed in. Login or sign up in order to post.