Authorizations
Laravel Rest Api exposes a lot of information and it is crucial for your applications to secure the access to resources. Thankfully, Laravel Rest Api seamlessly integrates with Laravel, ensuring a straightforward approach to securing your API.
Laravel Passport
, Laravel Sanctum
or make your own.Policies
To restrict access to viewing, creating, updating, or deleting resources, Laravel Rest Api leverages Laravel's authorization policies.
Basically, if your model is associated with a policy in your AppServiceProvider
, Laravel Rest API will automatically use it, requiring no further configuration.
This concerns the following methods:
- viewAny
- view
- create
- update
- replicate
- delete
- restore
- forceDelete
For example, to determine which users are allowed to view a User model, you simply need to define a view
method on the model's corresponding policy class:
<?php
namespace App\Policies;
use App\Models\User;
use Illuminate\Auth\Access\HandlesAuthorization;
class UserPolicy
{
use HandlesAuthorization;
/**
* Determine whether the user can view the user.
*
* @param \App\Models\User $user
* @param \App\Models\User $model
* @return mixed
*/
public function view(User $user, User $model)
{
return $user->is($model);
}
}
Disable Authorizations
By default, authorizations are enabled but you can disable them in certain situations.
Globally
In your config/rest.php
file, you can directly specify to disable this feature:
[
// ...
'authorizations' => [
'enabled' => false, // Switch this to false
]
// ...
]
Resource
If you want to disable this feature for certain resources only, you can use the DisableAuthorizations
trait on your resource file:
class UserResource extends Resource
{
use \Lomkit\Rest\Concerns\Resource\DisableAuthorizations;
// ...
}
Cache
In order to make Laravel Rest Api faster, authorizations are cached automatically.
Cache key
By default, caches is proper to each authenticated user and resource. If you want to change this behavior, please override the getCacheKey
method in your resource:
class UserResource
{
/**
* Get the authorization cache key.
*
* @param RestRequest $request
*
* @return string
*/
public function getAuthorizationCacheKey(RestRequest $request, string $identifier)
{
$class = Str::snake((new \ReflectionClass($this))->getShortName());
return sprintf(
'rest.authorization.%s.%s.%s',
$class,
$identifier,
$request->user()?->getKey()
);
}
}
Cache time to live
Cache is by default persisted for 5 minutes, if you want to change this feature:
Globally
In your config/rest.php
file, you can directly specify the number of minutes for the cache:
[
// ...
'authorizations' => [
'cache' => [
'default' => 5 // Cache minutes by default
],
],
// ...
]
Resource
If you want to adjust this in your resource, please add the cacheFor
method in your resource:
class UserResource
{
/**
* Determine for how much time the cache should be keeped.
*
* @return \DateTimeInterface|\DateInterval|float|int|null
*/
public function authorizationCacheFor()
{
return now()->addMinutes(5);
}
}
Disable cache
Globally
If you want to disable it globally, change your config in the rest.php
file
<?php
return [
/*
|--------------------------------------------------------------------------
| Rest Authorizations
|--------------------------------------------------------------------------
|
| This is the feature that automatically binds to policies to validate incoming requests.
| Laravel Rest Api will validate each models searched / mutated / deleted to avoid leaks in your API.
|
*/
'authorizations' => [
'cache' => [
'enabled' => false, // Set this to false
],
],
]
Resource
If you want to disable this feature for certain resources only, you can use the DisableAuthorizationsCache
trait on your resource file:
class UserResource extends Resource
{
use \Lomkit\Rest\Concerns\Resource\DisableAuthorizationsCache;
// ...
}