I am using Laravel 8 as backend and Angular 11 as frontend. I want to pass three parameters to Laravel with an API from my frontend after a purchase using the url. This will look like this: .../{user_id}/${track_id}/${price_id}. I don't know if it's the best way to confirm a purchase, but unfortunately I don't know of any other, even after a lot of research. The only problem with it is that it would be very vulnerable and one could just write in any numbers with e.g. Postman, so the products would end up in their accounts.

Now I tried in my api.php:

Route::post('addTrackusers/{user_id}/{track_id}/{track_pice}', 'App\Http\Controllers\trackusersController@addTrackusers')->middleware(['auth:api', Payout::class]);

With the help of this route I get the required three parameters. After that, however, I want to use middleware to prevent unauthorized users from passing any parameters that haven't bought anything:

Middleware/Payout.php

    public function handle($request, Closure $next)
    {
        $user = auth()->user();
        if ($request->id != $user->id) {
            abort(403, 'Unauthorized action');
        } else {
            return $next($request);
        }
    }

I'm really not sure how to fix the problem. My thought was to pass the three parameters and compare if they belong to the current user.

But also the current user could just enter his token in Postman, then he would be authorized to pass three parameters. I would really appreciate any advice or how best to fix this.

Thanks a lot!

CodePudding user response：

This should work:

public function handle($request, Closure $next)
    {

        if ($request->user_id !== auth()->user()->id) {
            abort(403, 'Unauthorized action');
        }
        
        return $next($request); 
    }

In your url, you don't have $id, but $user_id