#API Security

XinAdmin builds a complete API security system through middleware chains, annotation routing, request validation, and exception handling.

#Route Middleware

All protected API routes use triple middleware:

// Standard protected route
Route::get('/system/user', [SysUserController::class, 'index'])
    ->middleware(['auth:sanctum', 'authGuard', 'abilities:system.user.query']);

#AnnoRoute Annotation Routing

XinAdmin provides an AnnoRoute annotation routing system that auto-registers routes and permission middleware via PHP 8 attributes, avoiding manual route definition and middleware configuration:

#[RequestAttribute('/system/user', 'system.user')]
class SysUserController
{
    #[GetRoute(authorize: 'query')]
    public function index() { ... }  // Auto-applies abilities:system.user.query

    #[PostRoute(authorize: 'create')]
    public function store() { ... }  // Auto-applies abilities:system.user.create

    #[PutRoute(authorize: 'update')]
    public function update() { ... } // Auto-applies abilities:system.user.update

    #[DeleteRoute(authorize: 'delete')]
    public function destroy() { ... } // Auto-applies abilities:system.user.delete
}

#Annotation Parameters

RouteRegisterService scans all annotated controllers on boot, automatically calling Laravel route registration with ['auth:sanctum', 'authGuard', 'abilities:{prefix}.{authorize}'] middleware attached.

#Unauthorized Access Handling

When a user's token lacks the required permission, ExceptionsHandler catches MissingAbilityException and returns:

{
  "success": false,
  "showType": 2,
  "msg": "No Permission"
}

Other security-related exception handling:

#CORS Security

Global CORS middleware AllowCrossDomainMiddleware:

Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS
Access-Control-Allow-Headers: Content-Type, Authorization, X-Requested-With, User-Language
Access-Control-Allow-Credentials: true
Access-Control-Max-Age: 1800

OPTIONS preflight requests receive a 204 status code. CORS headers are also duplicated in the exception handler as a safety net.

#Request Validation

All form requests extend BaseFormRequest, providing unified validation rules:

Validation failure response:

{
  "success": false,
  "showType": 1,
  "msg": "First validation error message"
}

#Adding a Protected API Endpoint

Steps to add a new protected endpoint to the system:

1. Add a permission rule record

Insert a new record in sys_rule with type=rule and the corresponding permission key, e.g., my.module.action.

2. Define the route with middleware

Route::post('/my-module/action', [MyController::class, 'action'])
    ->middleware(['auth:sanctum', 'authGuard', 'abilities:my.module.action']);

3. Add frontend permission control

<AuthButton auth="my.module.action">
  <Button>Action</Button>
</AuthButton>

#Production Security Recommendations