Prevent undue access in the RESTful API

2

I'm developing a RESTful API with Laravel PHP that will be consumed by an Android application, the API is consumed only by the application, there is no web system.

I am learning RESTful, and during the learning I was left with a doubt. I get to consume the API, okay, but I thought ... If I access the link myself, I can see the data json:

So how would I prevent someone from accessing the API data through the browser, or building a separate system to consume the API?

(As you can see, the API will have data that should be viewed only by their owner)

And how would you restrict access to some parts of the application only for certain types of users (permissions system)?

    
asked by anonymous 21.05.2015 / 10:03

1 answer

1

A API and in terms of access is public and this comes from concept. Having this in mind restrict accesses can take some paths depending once again on what we approach and for this it is important the following connections of concepts:

  • Applications - Authorization

  • Users - Authentication

  • Firstly the authorization, and for this has the OAUTH that is clearly aimed at authorizing applications, it also presents a concept of SCOPES that makes it possible to define what the application specifically accesses. A protocol that I use today and has its proofs given. It's already a standard.

    Secondly the authentication, this is a broader concept because we would also have to speak of identity and of course it a little flees the question.

    That said, a system based on the OAUTH protocol to authorize applications to access in conjunction with a user identity management system and its authentications will depend on the application within the SCOPES that the application inherits from the service. / p>

    Better still, it is a system that does not make user authentication dependent on applications. Thus API itself may contain a way to authenticate users beyond the services it has.

    See this link to add a little more light to your question: How to avoid improper use of a REST API?

        
    21.05.2015 / 11:36