Sorry if you are upset that this is not a very specific question but I researched online and couldn't find out what PHP middleware refers to?
I have seen this term used in the Slim microframework and laravel framework and I really need an explanation.
Thanks a lot
I'm no tremendous expert but i can try to explain it. Basically middleware in l5 and up replaces filters that were in place on older laravel versions. It adds verification to either a route/controller or the whole site. It will run whatever logic you have in a middleware before rendering a specific page to the user. For instance, laravel comes with an auth and csrf middleware upon installation. The auth middleware will check if the user is authenticated BEFORE showing a page and csrf verifies on everything and makes sure your current token matches what is present on the db.
To create a middleware you need to php artisan make:middleware NameofMiddleware.
A middleware can either be per each route or for the whole application.
Related
i'm learning Symfony and i'm building an app based on the Youtube API and the Google OAuth 2.0.
I'm using Annotation routes to make a simple user interface and logging system. Here are all my routes :
/
/auth (redirect to Google auth server)
/auth/response (Get the Google auth code)
/user (users settings, stored via Doctrine ORM)
/update (ajax call url to update users settings)
/insert (making some Youtube API requests, will be used in a Cron task)
So my problem is that I don't want users to access certain routes because they shouldn't know those routes exist, especially for the "/insert" path.
I already set conditions for the /update path like this :
/**
* #Route("/update", name="update", condition="request.isXmlHttpRequest()")
*/
The user get a 404 error and that's perfect.
Now, how can I make something similar for my others problematic routes ? Or maybe I'm absolutely doing it wrong, please tell me !
If you want to apply some restrictions policies, you need to use security config (firewalls section in your case)
Documentation here: https://symfony.com/doc/current/reference/configuration/security.html
And 404 is the wrong answer, the 401 would be right.
I'm setting up FOSJsRoutingBundle on my app. When doing this I realized that the endpoint that returns all routes for the app, there was returning all routes for my internal app. I was digging in the source code, and they didn't apply any filters to the routes returned based on user roles. This is very insecure way of doing things, because for me I can't reveal all the internal routing configuration for my app, because it will lead a security breach, if someone used for example DevTools from chrome check for access to every route in my internal app. The question is, there is a way of accomplishing that, return only the routes accessible for the current user?
I have a domain and subdomain based app (all in one Laravel project). I have set up CORS and CSRF so that communication works. I've also replaced the cookie domain under session.php and now the session is shared across domain and subdomain.
I have an issue when logging in however. When I log in (either from domain or subdomain) user gets logged in. I can check that by dumping Auth::user() under my web.php. However when I try to dump it from middleware I get null.
How is that possible?
I tried clearing caches on both app and browser
You should probably check the database, I had those same problems a long time ago.
I think Laravel saves the session in the database, or in some other configuration.
Check "config/session.php"
Hope be helpfull
I found the issue.
I was calling my middleware before the session middleware under Kernel.php
NOTE
Global middleware is called before web middleware
I am using laravel for my web application. I have integrated amember within my larvel site inside /publi/amember. Now i want to protect my routes using amember. Anyone knows how to do it. I am using L5 Moduler structure for my larvel site.
The best approach is use Am_Lite API to do it.
http://www.amember.com/docs/API/Lite
So you need to include this file
amember/library/Am/Lite.php
within your application (before any output done) and then use the following call to check access:
Am_Lite::getInstance()->checkAccess(Am_Lite::PAID);
In event of user has necessary access then this call do nothing otherwise redirect user to login form.
I had an application made with Laravel 5.3 that was running fine, but after upgrading to Laravel 5.4, every time we authenticate, it goes fine and we have access to user informations :
{"id":X,"name":"Foo","email":"foo#bar.com", . . .}
The thing is, it is not really logged in as when we want to access a protected view that this user would have access to, it redirects on the login page.
I checked a fresh install of Laravel 5.4 methods of authentication and can't find any difference between application and this fresh 5.4 application.
So if someone could tell me where this problem comes from, it would be really helpful,
Thanks.
EDIT : It seems that the Auth()->user() gets null value while in the middleware that protects the routes.
I found what went wrong, but didn't wrote the answer here.
What was actually happening is that it seemed that session cookies had the encrypt config option set to false, but it was needing the EncryptCookies middleware, which was missing.