Questions about OAuth and Tokens in an API [closed]

1

Before, I would like to contextualize my scenario: Home I'm a student in the area who has a huge passion for mobile development and recently I've seen the need to create my own API's to enable the conversation between the application and my database (aka authentication and creation of users, return, removal, insertion and update of information) . I started to search and found some good frameworks, like Laravel, Lumen , Slim, others ... And a lot of excellent lectures on Scalability and Restful concepts. Home But a question has always been in my head, and it is related to the correct way to use tokens in my case. If the community can help me, I would be grateful.

  • Does the user's token need to be updated each time it accesses the API? If yes, what is the issue that implies the obligation of this function?
  • On receiving a user's request on a route (eg api.awesome.com/user/12) that will return a list of this information and I want to make sure it has JUST its list, should I search the database through the user ID, or through the token in the header? Or both? And if the answer is "through the token", how would the Restful question be? How could I pass api.awesome.com/user/TOKEN_DO_USUARY? Would not it be a problem to be a very large url to be trafficked?
  • Now about data validation :

  • It is recommended that I never rely on user-submitted data, should I? So how do I validate this data in the API before inserting it into the database? Check if it is indeed an email, a cell phone, a zip code, etc. . Regex Pattern ? Is there some way less laborious in Laravel ? And somewhere do not ask me where I read that Regex is not a safe way . This is a fact? Why?
  • A little doubt about CORS (I confess that I did not research about it, but taking advantage of this publication ...)

  • What is the problem with using * ? I know that it will accept requests from any domain but knowing that those who will send the requests will be my applications and that none of them has a domain and, as we know, I can not rely on the user's IP to work on CORS , what is the right alternative?

  • I apologize for the doubts, but I would love it if anyone could clarify these issues. Right away, thank you.

        
    asked by anonymous 26.10.2017 / 06:45

    0 answers