<form action="https://formspree.io/f/{form_id}" method="post">
<label for="email">Your Email</label>
<input name="Email" id="email" type="email">
<button type="submit">Submit</button>
</form>
#Laravel API (Sanctum/Passport)
shrewd swan
They only pass a param for the form_id so that the submitted information is saved to that form, however this would be vulnerable since anyone is able to inspect element, steal their id and spam/abuse it with giberish on their own website
remote compass
check JWT
- login user
- get token
- send this token with every request to API
- API checks this token and allows/denies the request
https://laravel.com/docs/10.x/sanctum
shrewd swan
So the user would need to generate a token on my laravel project, then use this on each request to API
However this brings me back to step 1, anyone is able to copy paste the token when the user uses axios for example through client
ripe pumice
Well, that's the point of keeping your API tokens a secret. If you issue an API token for an organization, they're accountable for keeping that secure.
What you can do though is add further "checks", as validate that the incoming request is from a whitelisted IP address etc.
Or that the token is linked to the org they're trying to make changes to, that's authorization
shrewd swan
Right that's what I had in mind, however this would ask for some techy knowledge from the organization's side
ripe pumice
Well, yes... But the second you say "API key" to an org it's already techy
shrewd swan
Exactly, that's why I thought that there was a possible workaround since it's a hard guess what type of framework the org uses
However, I stumbled up on fruitcake/laravel-cors
ripe pumice
That package is outdated and built into the framework..
shrewd swan
It's included in the framework?
ripe pumice
shrewd swan
Ahh makes life even easier
In that case i'll just either whitelist ips, or let anyone hit the api
ripe pumice
Whitelisting IP's would require contact with the orgs, because you'd need to know what IP addresses they would submit from
And also if their IP changes, it needs to be updated
(Without knowing the actual grand plan of your app)
shrewd swan
I take back what I said
ripe pumice
We use IP validation in our company, and we have a constant issue with orgs getting new IP addresses
shrewd swan
Will probably stick with formspree's idea
ripe pumice
I haven't used formspree, but I am pretty sure you have a dashboard there where you also whitelist domains/ip addresses....
Otherwise the issue is like you said, anyone can "steal" your token and just use it
But it doesn't matter that the token is public, if it requires the owner of that token to whitelist
shrewd swan
I haven't used formspree, but I am pretty sure you have a dashboard there where ...
Haven't managed to find that, possibly a premium feature
Yeah I believe it's a forever loop issue, best way to work with it is make it an open api, allow requests from anywhere and have the org manually accept or decline records to be made for example