Hello, I have the following question.
I have an application that will be used by several companies, each company will have a number of employees (only users of the company) and I have regular users (business customers). The system relationship is in a single structure of N: N and N: 1. The main idea is for each company to manipulate its own resources, individually without being able to change third-party companies. Already users can use all resources of the company (companies where it is related). My question would be regarding the exposure of this API, how can I ensure that a malicious user with this exposed URI does not access, manipulate resources from other companies. I just want that when he accesses company X, he can only use the endpoints of company X, in the same way that users (company customers) access company Y and only manipulate resources that are within company Y.
I've seen the OAuth2 authentication protocol, which protects our API, should I create an OAuth2 Client for each company to see if it's just using that company?
I'm kind of confused by that. If you can understand what I said above, can you help me? hahaha
I'm using Laravel and Laravel Passport.