How can I ensure that my API will only use the features I want it to use?

1

Hello, I have the following question.

I have an application that will be used by several companies, each company will have a number of employees (only users of the company) and I have regular users (business customers). The system relationship is in a single structure of N: N and N: 1. The main idea is for each company to manipulate its own resources, individually without being able to change third-party companies. Already users can use all resources of the company (companies where it is related). My question would be regarding the exposure of this API, how can I ensure that a malicious user with this exposed URI does not access, manipulate resources from other companies. I just want that when he accesses company X, he can only use the endpoints of company X, in the same way that users (company customers) access company Y and only manipulate resources that are within company Y.

I've seen the OAuth2 authentication protocol, which protects our API, should I create an OAuth2 Client for each company to see if it's just using that company?

I'm kind of confused by that. If you can understand what I said above, can you help me? hahaha

I'm using Laravel and Laravel Passport.

    
asked by anonymous 17.06.2018 / 18:28

2 answers

0

I think the best way for this is that every posting for example: Clients / People / Business / Products / Orders go the business id that this user belongs to. Then you create a check using Middleware that if in case the id does not hit will get an access denied.

    
18.06.2018 / 13:57
0

One possibility is to use a multi-tenant or multi-tenancy strategy, in this approach one of the methods is to separate the data of each company into different databases but using a single application.

But there are other approaches, here is an article that explores the use of multi-tenant with Laravel.

link

    
20.06.2018 / 14:01