Replace the API key with a cookie-based JWT

[jbassagana]

A rather basic authentication mechanism has recently been implemented consisting of an X-Api-Key HTTP header which is sent by the web browser to the API server in each request. CORS has been successfully set up in the NGINX web server as well as in the Symfony application.

All API endpoints are now supposed to block queries from any user agent other than a web browser; for example, cURL or Postman. However, in reality, the network traffic can be monitored using the developer tools of any modern browser.

Figure 1. The API key is sent by the web browser in an X-API-key HTTP request header.

The API key can be easily obtained by a malicious user for further use in cURL queries. It is more convenient to store a JWT in a cookie as a temporary user credential in order to limit how the API is used.

Happy coding!