Laravel issue with security in profile page

  angular, authentication, jwt, laravel, middleware

I have been having problems with my site in Laravel for some time. I have an Angular frontend and I’m using an api to query the specific user’s data so that a specific user can change his data in his profile page. With that said, I obviously don’t want unauthorized people to be able to go to other profile pages to change their data as well.

For example:
On my page, with the URL .../user/1 the user can query his data. The problem with this is: If you change the 1 in .../user/1 to .../user/2 for example, the person can access to the data of the person with id 2.

I tried following:
In my api.php:

Route::middleware('auth:api')->get('/user', function (Request $request) {
    return $request->user();
});

// Get Specific User
Route::get('user/{id}' ,'[email protected]')->middleware('auth');

Unauthorized users can no longer access the profile page, but all Authorized users can access all other users and change their data.

I also tried: $id = Auth::id(), but this returns me Attempt to read property "id" on null

The problem seems to me to be quite complicated, as I somehow need the id of the users currently logged in and make sure they can’t access other users id. Do you have any idea how I could best do this?

I am using Laravel 8

Thanks a lot!

Source: Laravel

Leave a Reply