Prevent improper access to the Restful API

Asked

Viewed 520 times

2

I am developing a Restful API with Laravel PHP that will be consumed by an Android application, the API is consumed only by the application, there is no web system.

I am learning Restful, and during the learning I was left with a doubt. I can consume the API, okay, but I thought... If I access the link myself through the browser, I can see the json data: inserir a descrição da imagem aqui

So how do I prevent someone from accessing the API data from the browser, or build a separate system to consume the API?

(as you can see, the API will have data that should be viewed only by their owner)

And how to restrict access to some parts of the application only for some types of users (permissions system)?

1 answer

1


One API and as far as their access is concerned is public and that comes from concept. Having this in mind restrict accesses can take some paths depending once again on what we address and for this it is important the following links of concepts:

  1. applications - authorization

  2. users - authentication

Firstly the authorization, and for that has the OAUTH which is clearly geared towards the authorization of applications, this also presents a concept of SCOPES which makes it possible to define what specifically accesses the application. A protocol that today I use and have its proofs given. It is already a standard.

Secondly, authentication is a broader concept because we would also have to talk about identity and of course that goes a little beyond the question.

That said, a protocol-based system OAUTH to authorize applications to access together with a user identity management system and their authentications will depend on the application within such SCOPES that the application inherits from the service.

Even better will be a system that does not make the authentication of users of the applications depend. So the own API may contain a way to authenticate users in addition to the services available to them.

See this link to add a little more light to your question:How to avoid misuse of a REST API?

  • this Oath seems very complicated, does not have a simpler means without being for basic http? And with it would give to control access by types of users?

  • I didn’t understand how the permissions of each type of user would fit into this

  • hello @Felipe.rce o oauth is about http and is a protocol. Start by taking a look at http://oauth.net/documentation/getting-started/

Browser other questions tagged

You are not signed in. Login or sign up in order to post.