I started recently working on a personal project with Laravel as an API and AngularJS for the frontend. It is the first time I design an API myself and everything I do, is through tutorials and videos.

I ended up with a question in my head about security and url manipulation, but I understand that it could be a generic question, so I will use specific examples and create other questions with different cases.

Let's say that I have a point system in my web app where after a specific action, I have to give points to the user.

First, we have the AngularJS code as a service:

PointsServices.$inject = ['$http', '$cookies', 'API_Base']; function PointsServices($http, $cookies, API_Base) { var service = this; service.addPoints = function(points, onSuccess, onError) { $http.get(API_Base + 'user/addpoints?points='+points, { headers: { 'Authorization': 'Bearer '+$cookies.get('token')} }). then(function(response) { onSuccess(response); }, function(response) { onError(response); }); } }

It is just a service where it gets the number of points to insert on the user. Then it takes from the cookies the JWT token and add it to headers for backend authentication. Let's go now on the backend with Laravel:

class PointsController extends Controller { public function addPoints(Request $request) { $user = \Helpers::getUserFromToken(); $points = $request->input('points'); $user->points += $points $user->save(); return response()->json(['message' => 'User's points added', 'status' => '200']); } }

And the \Helpers::getUserFromToken(); is a helper function with JWT where I authenticate the user like this:

public static function getUserFromToken() { $token = JWTAuth::parseToken(); try { if (!$user = $token->authenticate()) { return response()->json(['user_not_found'], 404); } } catch (Tymon\JWTAuth\Exceptions\TokenExpiredException $e) { return response()->json(['token_expired'], $e->getStatusCode()); } catch (Tymon\JWTAuth\Exceptions\TokenInvalidException $e) { return response()->json(['token_invalid'], $e->getStatusCode()); } catch (Tymon\JWTAuth\Exceptions\JWTException $e) { return response()->json(['token_absent'], $e->getStatusCode()); } return $user; }

And now, let's wear the hat of the evil user. I open the developer console and go on the network tab, or just on the source code. I check the exact url that the app uses and take the token from the cookies or local storage or directly from the headers after a successful call. Then, I use postman or any other software to call the API with the token of my user account as:

First case:

Add any number of points on my account directly from the url by changing the value of points variable. Instead of changing the points variable, I write a script where once every 5-10 or random minutes, I just call the API url to give me just one point.

How should I avoid those cases of url manipulation and what I can do, in specific for Laravel 5 and AngularJS 1.5?