0

I have an Laravel-base API which handles both client and admin endpoints (there are two sites like domain.com and admin.domain.com). My auth is based on cookie, which domain is <.domain.com>. As you can see, this cookie is acceptable for both domains.
I use Eloquent Api Resources for transformation data layer. Is my when() route check here safe and right?

public function toArray($request)
{
    return [
        'name' => $this->name,
        'created_at' => (string)$this->created_at,
        'status' => $this->when($request->route()->getName() === 'api.admin.users.index', $this->status)
    ];
}

Before I used $this->when(Auth::check(), ...), but because my auth cookie is acceptable for client site too, unneeded data might be fetched. My route:

Route::group(['prefix' => 'admin', 'as' => 'api.admin.', 'middleware' => 'auth:api'], function () {
    Route::resource('users', ...);
});

If user is not authorized, he wouldn't get data because of middleware. At the same time, authorized used (who has non-expired cookie) wouldn't get unneded data while being on client site.
Thank you!

Improve this question
3
  • 1
    I guess you have an additional login criteria available to identify admins - why not use this one here as well? Commented Jul 24, 2018 at 19:01
  • @Namoshek at the moment authorized user = admin. I don't event have role-based access control. So I can't check for user role or user auth status. Commented Jul 24, 2018 at 19:04
  • 1
    Why distinguish within the output at all then? Maybe come back later to this feature when you have implemented role-based authentication and there is a proper way for you to differentiate between users and roles. -- But to stay on topic, I added a short answer. Maybe it helps you out. Commented Jul 24, 2018 at 19:29

1 Answer 1

Reset to default
1

I think your approach is fine. The route name is something internal and the user cannot tinker with it. You could improve it by using \Route::is('api.admin.*') though. It would then work for all of your admin API routes.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.