LaSalle Software News #19: Signed and Sealed Client Server

Thursday March 1st, 2018

Episode Summary

Welcome to my nineteenth LaSalle Software News podcast.

This is Bob Bloom from Toronto Canada. 

Today is Thursday, March 01st, 2018. 

I publish LaSalle Software News monthly, at the top of the month except for September, to update you on my LaSalle Software. 


A longstanding client has a number of WordPress clients, and in February there were more issues than usual to look into.

WordPress is not a “fire and forget” technology. You cannot set up a WordPress site, and then just leave it alone except for the odd new blog post.

As a public service announcement, I remind you that:

  • It is important to update your theme, plugins, and WordPress itself. Sometimes this updating is straightforward, sometimes it is not.
  • It is important to back up your WordPress site.
  • It is important to remove unused themes and plugins.
  • It is important to not archive unused websites in the webroot.
  • It is important to store backups off the webroot.
  • It is important to keep your commercial licenses up-to-date.


Obviously, I decided to get into web applications instead, using the fabulous Laravel Framework. I am very happy that I did, and very happy that I am working on my second LaSalle Software version, despite the length of time it is taking.

API security is something I’ve been studying, if not something that I’ve been understanding. Last month was an excellent month of learning, ending with a pretty good idea of how I will implement API security in my LaSalle Software.

As LaSalle Software will implement a micro services architecture, API security is a huge deal. Instead of building one big web app, I will have small separate apps — in the form of API’s — executing distinct functions. These API’s will be completely separate from each other, deployed separately, maintained separately.

My last major question about API security is the question of how to ensure that the API talking to another API is the actual genuine API, and not a spoof. Or that the API is genuine, but the data was intercepted in transit.

Laravel has a package for setting up an OAuth2 server called Passport. Underneath Passport is the League’s OAuth2 server package. I’ve gone through the source code of both a few times. Then I saw that there there is a demonstration for download of Passport, created by Laravel Daily. This demo contains two complete Laravel apps. One is the OAuth2 server, and the other is a complete app that calls the OAuth2 server — aka “The Client”. I set up both the server and the client on a fresh Digital Ocean droplet, each with its own domain that I own but are not in use, set up on Forge. Basically, I set up the client and the server as real Laravel web apps, so I can see the demo in action. And, of course, I can mess with the code and see the database as it changes.

Thank you to Laravel Daily! This demo is a big help in seeing the flows in action. The client is powered by VusJS, which makes sense, except that I need to see the interaction with the server in standard Laravel. So I figured out how the client calls the server in a Laravel controller — specifically, the post-login call to fetch the data from the server to list in the client. I have more messing around and figuring out to do, but I’m now way ahead in understanding this aspect of API security.

Something else I did was print out the Json Web Token handbook from Well, the first six chapters, because the rest of the handbook delves into the encryption algorithms. It helped to study the print version.

At a recent Laravel Toronto meet-up, SoapBox, a rock solid Laravel Toronto sponsor for many years, presented an in-house API security solution they developed. A solution which included an open source package. I studied the presentation and library, with the idea of asking questions about them at this week’s Laravel Toronto meet-up. What a help it was to just get up in front of the group and voice my questions. I don’t know what it is about just vocalizing it but that in itself helped. Then I asked some questions, and the answer I was looking for came back as a question. The question was: “do you control both ends?”. Do I control both the client app and the API? The answer is yes. Controlling both ends means I can seed each side with a secret key, and then use that secret key to encrypt and un-encrypt the JWT.

I know that I will be using the League’s OAuth2 server package, and that I will be using one of the JWT (I know it’s pronounced “JOT”) packages out there. However, I do not want to use Passport as-is, nor do I want to use the SoapBox package as-is. I want a streamlined custom solution to use for LaSalle Software, so that’s what I am going to do.

Now, there are new third party packages for the Laravel Framework for Cross Origin Resource Sharing, and for Content Security Policies. These packages look very good, and should be good for augmenting security. They do not replace using encrypted JWTs.


I submitted this podcast to iTunes, again, and have not heard back so I emailed a support ticket today. My RSS feed is through SoundClound. My podcast is also available on Tunein (see links in the header above).


Hosting the York Region meet-ups at the Magna Centre has worked out well. I’ve been to meet-ups at Starbucks, which incidentally I do not like, at pubs which has its pros and cons, at libraries at community centres, and on company premises. But never at a hockey rink. The Magna Centre has five hockey rinks, a gym, a huge swimming pool, a Second Cup kiosk, the Newmarket Athletic Wall of Fame, and a few rooms to rent out. The rooms are used for childrens’ programs, hockey league meetings, and that sort of thing. Open source technology meet-ups are quite different, and the staff there is starting to know us — I am convinced due to our novelty.

I wanted to host meet-ups in the northern end of York Region, because new people were tending to come from above the Thornhill/Markham/Richmond Hill area. In our first year we spent most of our meet-ups in the south end (and forays into the eastern edge), and I was convinced that in our second year we had to get northward. It has worked out very well. It is noteworthy that many times it’s whispered in my ear to have one or two meet-ups “back south”.

Having the meet-ups in one place has provided a nice logistical constancy. There’s no guessing where the meet-ups will be. No worrying about where to find the entrance, or that the entrance is locked. The parking is plentiful with obvious entrances — one entrance has a big sign and a stop-light. There are multiple washrooms in the facility. There is no worrying about attendees wandering into peoples’ work areas or kitchen areas. Logistically, the Magna Centre is, by far, the friendliest venue.

The room we rent has a terrific view of the main ice rink. A group of power skaters practices during out meet-ups. My speakers have noticed that I will watch them put up the blue padding against the end boards in case someone misses a turn, watch the different age groups take their ovals around the rink, with the older kids skating closer to the boards and the younger ones skating within the centre of the rink. There are usually a couple of hockey games going on the other rinks. I was worried that we would be distracted or that whoever was in the rink would stop and stare at us. There’s been no staring, and there’s been minimal distraction. Children have come in looking for their parents (hey, look, there’s a bunch of adults over there!), and parents have come in looking for their children. It’s amusing when a couple of kids come into the room loudly with their equipment clanking, look at us and stop cold, and then slink on out of the room. I’m waiting for one of these kids to ask us if we use PHP 7’s type hinting.

I am going to close out this meet-up season at the Magna Centre. I am thinking of mixing things up a bit next season, in part because the new subway is finally open — that construction is done (I think).


You have been listening to a production. Opinions expressed are not necessarily those of SouthLaSalleMEDIA dot com, nor of the organizations represented. Links and materials discussed on air are available in the Show Notes for this show. Information contained herein have been obtained from sources believed to be reliable, but are not guaranteed. Podcasts are released under a creative commons licence. Some rights are reserved. Email correspondence to the attention of Bob Bloom at info at SouthLaSalleMedia dot com.

Monthly report on the good, the bad, and the ugly of my ongoing LaSalle Software development. Produced by Bob Bloom, founder and developer of LaSalle Software.

      All Episodes