Missing api_token and user_id check in Local Storage

[ghost]

Hey,

I found a bug. When you change the api_token and the user_id in local storage. I do not know how to fix this. Try it yourself, change the api_token and reload the page. You are still logged in, but the api_token isn't the same like in the database. Or try it with the user_id, you can change it to whatever you want. That's a bad practise. Is there any way to remove this bug?

[codekerala]

@Creazed thanks for opening issue.

You are seeing this issue because, the code is not checking for logged in user for every request.

It will only look for auth user, when create, edit, delete recipes only

public function __construct()
    {
    	$this->middleware('auth:api')
    		->except(['index', 'show']);
    }

and also i forgot add axios intercept in video, but i add in GitHub

The below code will check for 401 when you try to create, edit or delete with fake api_token or user_id

interceptors((err) => {
				if(err.response.status === 401) {
					Auth.remove()
					this.$router.push('/login')
				}

				if(err.response.status === 500) {
					Flash.setError(err.response.statusText)
				}

				if(err.response.status === 404) {
					this.$router.push('/not-found')
				}
			})

what you are saying is correct, but fake users cannot perform any crud operations.

To solve this you have to write a custom auth middleware and apply all api request. so that, it validate all requests that contains api_token or user_id.

If you have better idea please tell me.

[ghost]

It would be very nice if you could add the code in GitHub. Well, I have no other solution, yet. But I will figure out how to resolve this problem.