Prevent users from accessing app via browser
I’ve got an Electron app that’s essentially a web app under the hood, and I want to make sure users can only access it through the app itself, not by opening it in a browser. Right now, I’m trying to enforce this on the frontend, but some users are bypassing it and accessing the app through their browsers, which I want to prevent. Could you help me figure out how to stop this from happening and make them to go via the electron app?
Let me know other servers where I may ask this question rather than in here with the
non filament tag (:40 Replies
You could use the userAgent, so in Electron set the useragent to a custom string, like my-app, then use middleware in Laravel to check the userAgent in the request
but this can be bypassed easily, am i right?
the user can just set it up with a script in the frontend, no?
it depends, if you prevent your electron app from accessing any other url, its more difficult to get the user agent
you can even set a custom header
hmm okay, also, the thing is that the mobile devices should be able to access it via browser
so users can bypass it by simulating they are a mobile device
ah thats a different situation
so how would it change?
Since you allow multiple apps to connect, so a regular mobile browser and your electron app. If it where just the electron app, setting a header var would be sufficient. But because you also want to allow browser apps setting something in the header is not possible.
why is not possible?
I’m so interested in why you need this use case
cuz with electron u can access to system stuff, while u cant using a browser
basically the do not disturb mode or something like that
And the mobile web version?
Anyhow, check for electron with custom headers, and do some device fingerprinting to check it’s really mobile and not spoofed
If you really think your users would go so far as to spoof user agents for some reason
not sure, but we need to let users access the app via mobile too
but the custom headers can be spoofed anyways no?
like, i can simulate it? like my user agent
So why don’t you just make a mobile version with a web view, same as you did with electron
Headers shold be electron -> Filament app
you can generate keys on every request or something, there are a milion ways to do this
that would make the trick i guess yeah, but anyways from a desktop i would be able to change my headers simulating im an android device for example, if im not wrong
do some fingerprinting
device size
wdym filament app?
touch size
pixels
ye but how would be the workaround?
what do you mean
like, i generate a key for a request and then what i do with it?
send it to the frontend, so it gives it back to me in next request?
or what do u mean?
check that it's valid so you can confirm it comes from electron and not the web
brb have a meeting, we can pick some ideas apart later
sure 🙌
not sure how
Everything you send over the wire can be spoofed somehow unless you encrypt it.
Is it a real security concern? Or just convenience for the users?
just convenience for the users
what u got in mind 👀 ?
Nothing new. If it's just convenience, why bother with spoofing? If users add HTTP Headers or User Agents to access a web app that only works in Electron mode and they can't do any harm, who cares?
ye im with u, yeah but they want to prevent it 🤷♂️
Prevent it or have a "100% secure option"?
Don't overthink it
prevent it, i guess
So I think a header or user-agent is a viable option.
so how would be the workaround for that? how would u set it up?
Uhm what do you mean? Add a user agent or a header for the electron app. Or is that not possible?
im not sure for where to start. like, in the laravel api, setup a middleware so it expects the electron header to be present?
but the user can manipulate it anyways and simulate they are in the electron app but they are in the browser, no?
Yes. That's why I am asking whether it needs to be 100% secure. But you said, it's just for convenience 😅
okay haha. and then, if i say u it has to be 100% secure? 👀
just to know what would u do
it actually doesnt need to be 100% secure
I don't think that's possible 😅
(,:
that is what i like about and dislike at the sime time about web dev
like, u can customize the frontend as u want as end user
but at same time, as the developer, u cant have real control on the frontend
I don't understand. Why wouldn't you have control over the frontend if you are the dev? 🤔 And how is this related to your issue? 😅
i ment that the end user can modify the html n stuff, not sure if i explain myself
it relates to the issue cuz the user can modify the html i guess
You can also modify native software if you know how to do it. It's more work, but nothing is safe 😅
yeah thats true too xd