Note: While my stack consists of Laravel (4/5) and AngularJS, i don't want this discussion to become a language or framework flame war, let's keep it respectable.
I would love the result of this to become an incredibly helpful blog post & guide.
Hi guys, i'm currently in the throes of (among other things), writing a client-side application to interact with an API (that i control). And there's a few things that confuse me, and i'd love to start an open discussion on the best patterns to use when building client side applications in order to achieve some of the following:
Authenticating for a client-side application.
That means that no information that should not be shown to the user (tokens, application keys) is visible or hard-coded into the javascript or HTML.
Currently, my application uses a cookie to store a user's API key after an initial call to a secure authorisation endpoint, but the idea would be to move to OAuth in the future. Are cookies the way forward?
What is the best way to ensure that only 1st-party mobile/web applications have access to certain 1st party private API methods? for data that can't be processed on the client
Is there anything else that anyone frequently forgets to do when building an API for consumption by a client-side framework, or are there things people often miss when building their first client-side app? I'd love to hear about them.
Code examples are encouraged and appreciated!
Re: Private methods
CORS is probably your friend here. I would create a route filter, and route group for routes that should only be accessible via your 1st party web/mobile apps. For web, it'd just be a matter of specifying which domains can access these routes through CORS. For mobile (if it's a native app), you might need to create a secret key that gets passed as a header or something.