nuxt.js - security concern using nuxt js and laravel API

Question

I'm working on a big project using laravel API and Nuxt Js, never used API before and having concerns regarding the safety of the website.

I'm using JWT (JSON Web Token Authentication for Laravel).

for example when a user updates it's profile password, there is a password and oldpassword with user Id (taken from Nuxt/Auth) sent to API, I'm wondering how safe is it? can some one intercept the request and change ID to another user's ID? this would allow them to change data for other people or post other stuff without accessing other peoples account. if it's not safe, how can this be prevented?

due to only authenticating via nuxt/auth using jwt, there is no authentication validating on server side for other requests beside logging in, should I implement laravel Auth also for login and Auth::check() for every single request?

question from:https://stackoverflow.com/questions/65641257/security-concern-using-nuxt-js-and-laravel-api

Answer 1

You are on the right track using JWT. About how secure it is, is to ask yourself, how do you send the data from the frontend, did you validate each of the given input or not, and how the token is stored, and where, does the token static or has an expiration date that needs a refresh every each the given interval.

To avoid a user updating another user's profile, you need to add more security layer like model policy, or gate, and do check the sender id with the requested data's owner id (or user id). Laravel has you covered with that in mind. Please refer to the docs.

You can also make a refresh token method (i believe it was already implemented on the JWT package) and add an expiration date for each the given token then do refresh from the client side when it expires, it might seems like a bit of an extra work, but it is recommended and considered as good practice for security.

And you don't need to do Auth::check() all the time, just use a middleware provided by the plugin you are using and use auth()->user() or Auth::user() to get the current authenticated user's data.