I have been wondering what is the correct way to handle authorized requests on my Symfony backend. Whenever user id is neccesary while executing request on backend, is it better practice to receive it from frontend or just get it itself on backend. There is also third option to take it from request body and make backend validation. Thanks in advance.

CodePudding user response：

I think you can use a generated user token. And you should not use the user ID. The idea is to use a token linked to the user and re-generate that token every time the user logs in.

There are few best practices and a lot of ready bundles/solutions for any framework.

Please read about "Bearer Authentication" and about "JWT token authentication", below are few links.

JWT authentication is kind of standard way. It has good support from Postman for example.

API Platform has a good support for JWT authentication too, but it might not be the best bundle for starting, because it has own restrictions and it is sometimes not easy to use. But when you know it well it does help you a lot with starting new application.

So, my advice is to use JWT. Or if you want you can create own solution and own way to generate user tokens.

https://symfony.com/bundles/LexikJWTAuthenticationBundle/current/index.html

https://swagger.io/docs/specification/authentication/bearer-authentication

https://symfony.com/doc/current/the-fast-track/en/26-api.html