You're mixing yarn and npm, which seems weird to me. Use npm run dev instead of yarn dev.

The bundler is complaining about not finding resources/admin/sass/admin.scss. Does it exist?

Anyone trying to follow that method is going to have a really hard time. And that someone might be you two years from now.

Right now you're doing everything from control flow to low-level operations within the create() method. I'd refactor it so it only handles the top-level logic, and all heavy lifting is delegated to local methods. This makes the code more readable and also naturally comments it. Example:

if (array_key_exists('profile_image', $data['user'])) {
	$storageUsed = $this->uploadImage($data);
}

If you need to modify the $data array in a subtask, you can pass it as a reference:

protected function doSomething(array &$data): void {
	$data['user']['something'] = true;
}

I was asking why you added that option. It's not in the database config file by default. Did you read what it does from the Postgres docs?

You've set target_session_attrs to read-write for all connections, which means you cannot connect to the hosts you defined under read if they're read-only connections.

You also have a separate host array at the root level in addition to read and write hosts. I don't know Laravel interprets this, but it might mess things up. I recommend you read the docs before continuing.

What are you trying to achieve by including it to begin with?

Oh, you're right: thread.

@adamnet You keep making the same mistake and asking the same question. Either accept that you'll occasionally lose work, or start using version control. If you want to be a serious developer, learn version control.

If you use version control, such as Git, recovery is easy. Every developer should always use version control, even if they're working alone.

Another easy way is through an IDE. PhpStorm has a local history that shows file deletions, which you can revert. VS Code is a bit worse in this regard, but it's still possible.

Otherwise, you might be able to do it with some recovery tool. Recovering deleted files is less likely on SSDs than HDDs. Your best bet is to google "undelete tool" and try something to recover it. Recovery becomes less and less likely the longer you keep using the device.

You have this piece of config:

'options' => [
	'target_session_attrs' => 'read-write',
],

Why is it used?

You haven't overridden target_session_attrs for the read connections, so I think they also have the read-write attribute, although I haven't tested it. And since those are read-only connections, the connections should fail.

@vincent15000 Master (a.k.a. primary) and replica (a.k.a. slave) are basic concepts in database replication. Replica servers replicate data from primary server(s). The old terms are master/slave, the modern terms are primary/replica.

@Michael88 What does "it fails" mean? What actually happens?

And what do you mean by master switching to replica? Laravel uses a read connection by default. It only switches to the write connection when you write something to the DB. And all subsequent reads also use the write connection since you have the sticky option set (which is good).

I think you should learn how to code, and then use AI as a tool, and not as a developer.

Given this behavior, I’m wondering if this could be related to the PPA Launchpad issue. Am I thinking in the right direction?

No. That's only relevant when you're installing packages on Linux. It has no effect on your app after that.

Your app isn't involved here: the font is being loaded from some Chrome extension. It's not showing up in incognito mode because extensions are disabled there by default.

So the only solution is to disable the extension, whatever it is.

Your app isn't involved here: the font is being loaded from some Chrome extension. It's not showing up in incognito mode because extensions are disabled there by default.

So the only solution is to disable the extension, whatever it is.

As mentioned, route model binding is the solution.

If you want to use usernames in the URLs instead of IDs, you can do it like this:

Route::get('/users/{user:username}/comments', [UserController::class, 'comments']);

You need to nest orWhere conditions in a where condition. Something like this:

$products = Product::where('parent_id', '!=', 0)
	->whereHas('flags', function ($query) use ($messages) {
		$query
			->where('is_valid', true)
			->where(function ($query) use ($messages) {
				foreach ($messages as $message) {
					$query->orWhere('message', 'LIKE', $message);
				}
			});
	})
	->get();

I might separate the message condition to a scope:

// Flag.php
use Illuminate\Database\Eloquent\Attributes\Scope;

#[Scope]
protected function messageLike(Builder $query, ...$messages): void {
	$query->where(function ($query) use ($messages) {
		foreach ($messages as $message) {
			$query->orWhere('name', 'LIKE', $message.'%');
		}
	});
}

// The query becomes a bit cleaner:
$products = Product::where('parent_id', '!=', 0)
	->whereHas('flags', fn($query) => $query
		->where('is_valid', true)
		->messageLike(...$messages)
	)
	->get();

P.S. parent_id should be a nullable column. If you're using 0 to denote no parent, you can't use a foreign key on the column.

You need to nest orWhere conditions in a where condition. Something like this:

$products = Product::where('parent_id', '!=', 0)
	->whereHas('flags', function ($query) use ($messages) {
		$query
			->where('is_valid', true)
			->where(function ($query) use ($messages) {
				foreach ($messages as $message) {
					$query->orWhere('message', 'LIKE', $message);
				}
			});
	})
	->get();

I might separate the message condition to a scope:

// Flag.php
use Illuminate\Database\Eloquent\Attributes\Scope;

#[Scope]
protected function messageLike(Builder $query, ...$messages): void {
	$query->where(function ($query) use ($messages) {
		foreach ($messages as $message) {
			$query->orWhere('name', 'LIKE', $message.'%');
		}
	});
}

// The query becomes a bit cleaner:
$products = Product::where('parent_id', '!=', 0)
	->whereHas('flags', fn($query) => $query
		->where('is_valid', true)
		->messageLike(...$messages)
	)
	->get();

P.S. parent_id should be a nullable column. If you're using 0 to denote no parent, you can't use a foreign key on the column.

I looked at your config briefly and noticed some things.

proxy_pass hype://0.0.0.0:6001; 

That address doesn't make sense in this context. Since your Reverb server is running locally, replace 0.0.0.0 with 127.0.0.1.

0.0.0.0 is a wildcard meaning "all IPv4 network interfaces" when listening on incoming traffic. But it doesn't work as a proxying target: you need an actual IP address for that.

Failed to listen on "tcp://127.0.0.1:8080": Address already in use (EADDRINUSE)

When are you getting this error? Is it when Supervisor tries to start the Reverb server?

That error means some other process is already listening on that port. Run this command to see what's up:

sudo ss -tulpn 'sport = :8080'

Other minor things:

listen \[::\]:443 quic;
listen 443 quic;
http3 off;

These settings are contradictory. You're opening two QUIC sockets for IPv4 and IPv6, but then you're turning off HTTP/3 support – the protocol that would actually use QUIC.

  if (-f $request_filename) {  
    break;  
  }  

This does nothing. Your try_files rule already routes everything to Laravel if the file doesn't exist on disk.

What's the use case? It might make more sense to do some of this in code rather than SQL.

Are you serving the site over https? Or are you using something like http://localhost?

Browsers ignore the secure flag of cookies on localhost. They treat *.localhost domains as special cases and don't enforce the secure requirement because it makes local development easier. But they should still respect cookie prefixes (if they're supported to begin with). If you're not using https, that would explain why your session cookies aren't working.

How?

When user goes to their roles page and go to a specific role panel, I will put the hidden roleId on forms, so I can check in authorization, if this user have this role, and if this role has the permission needed for the action. How is it? Is it a bad practice?

Don't do this. Anyone could modify the hidden input in the page source and spoof a different role.

You don't need to add any hidden inputs. Your backend already knows who the user is, and you can use Laravel's built-in authorization features. I strongly recommend you read the documentation first:

https://laravel.com/docs/13.x/authorization

But I can give you a quick rundown.

Below is a simple policy class for a Post model. It has just one authorization check: can a user edit a post. Editing is allowed if the user is a super-admin or the original author of the post.

class PostPolicy {
    public function edit(User $user, Post $post): bool {
        if ($user->role === 'super-admin')
			return true;
		 
		return $user->id === $post->user_id;
    }
}

Here's how you register the policy on the model:

use Illuminate\Database\Eloquent\Attributes\UsePolicy;

#[UsePolicy(PostPolicy::class)]
class Post extends Model {
    ...
}

Once you have the policy registered, you can do authorization checks in code, middleware, and Blade templates. Some examples:

// Authorization check in middleware:
Route::patch('/posts/{post}', [PostController::class, 'update'])
	->can('edit', 'post')
	->name('posts.update');
	
// Authorization check in a controller:
if ($request->user()->can('edit', $post)) {
	...
}

// Authorization check in Blade:
@can('update', $post)
	...
@endcan

The docs have all the details.

What kind of attack are you talking about?

Users can do anything with their own front end, so they can of course submit the form anywhere. That's why you validate and authorize everything server-side.

On the front end, what you need to worry about is code injection that could affect other users (XSS).

It may be caused by the asset preload headers set by Inertia. Together with other headers, they can exceed the default FastCGI buffer size of Nginx. You can try increasing the size in the http block in nginx.conf, e.g.

fastcgi_buffers 16 16k;
fastcgi_buffer_size 32k;

Then restart Nginx.

Why would your choice of session driver matter? Unless you use the cookie driver, it should make no difference whatsoever.

Nginx is telling you what's wrong: your backend (upstream) is sending response headers that are too big. Either increase the buffer size in Nginx or remove the AddLinkHeadersForPreloadedAssets middleware in Laravel. I don't recommend the latter if you care about performance.

It may be caused by the asset preload headers set by Inertia. Together with other headers, they can exceed the default FastCGI buffer size of Nginx. You can try increasing the size in the http block in nginx.conf, e.g.

fastcgi_buffers 16 16k;
fastcgi_buffer_size 32k;

Then restart Nginx.

That error message told you what's wrong and what you need to do. You're missing PHP's XML extension.

You didn't say what went wrong with Breeze and the starter kits.

View the page source. If you see fully rendered html, SSR works. If you see an empty div in the body, it's not working.

Note that only the first page is rendered on the server, and other pages are rendered client-side when you navigate to them. This is by design.

For AI there no like easy question or hard question, If you ask questions and it runs query from its database and calculate those data and pass it to you.

That's not how an LLM works. It doesn't run queries. It's a stochastic text predictor that produces text one token at a time. It's a pattern completion machine. The appearance of understanding is an illusion.

This is also true, But As if now you can get any kind solution with AI,

No. AI gives you text output. Nothing beyond that is guaranteed.

AI gets things wrong, hallucinates, tries to solve every problem locally rather than globally, etc. Some issues may be solvable with tooling, but some may be fundamentally beyond the capabilities of the current text predictor approach. These LLM's aren't AGI.

Then its like waste time to learn all these stuff which can be automated in future.

If it feels like a waste of time to learn what happens under the hood, software development might not be the right career path for you.

It only tracks the attributes of the model, not its relations.

I like to confirm these things straight from the source code because it's easy through an IDE. Here are some relevant methods from Model and the HasAttributes trait:

https://github.com/illuminate/database/blob/d59e7abde7bc62bb2a52b4fb0651327acf8d0d0a/Eloquent/Concerns/HasAttributes.php#L2260

https://github.com/illuminate/database/blob/d59e7abde7bc62bb2a52b4fb0651327acf8d0d0a/Eloquent/Concerns/HasAttributes.php#L2207

https://github.com/illuminate/database/blob/d59e7abde7bc62bb2a52b4fb0651327acf8d0d0a/Eloquent/Model.php#L1375

As of today, AI agents can't make proper apps on their own. What they can do is produce junk that passes tests. To use it for any proper product, you have to understand the code and correct its issues.

It's clear that AI will be useful, but the hype is completely overblown. If you were to go back and read the marketing from two years ago, you'd think you have no future in tech if you didn't use [insert any AI tool hot at the time]. Now those AI models are obsolete, and if you spent the time learning the fundamentals of computer science instead, you'd be much better off.

Some of the recent layoffs in the tech sector can be attributed to pandemic-era over-hiring and the general downturn in the US economy. But I'm sure the over-hyping of generative AI is partly to blame. I believe we'll see more service degradation over the following years.

What you should do ultimately depends on your goals. If you're a non-programmer who wants something on the screen, you may not need to understand the code. I just don't see anyone hiring an "AI prompter" who's helpless when something doesn't work.

"They" are being silly.

It's not good or bad. It's GraphQL. Do you actually need it?

What’s the fastest way to isolate whether the delay is coming from TTFB vs frontend rendering?

Run Lighthouse from Chrome's dev tools.

How are you serving the app? Just to be sure: are you building the assets, and not using any development tool (npm run dev or php artisan serve) in production?

In Apache, have you:

• Enabled http2 or http3? This is pretty important.
• Enabled traffic compression (gzip)?

What's the size of the largest javascript bundle when you build the assets?

The first things I'd do is open the browser dev tools and check the console for any errors, the network tab for any glaring issues, and then run Lighthouse or equivalent. You can analyze the waterfall graph in the Network tab, but I'd check the other stuff first.

Because it's poorly written, unformatted and doesn't even contain a question. If you make an effort to be understood, you're more likely to get replies.

I download the actual code no library:

That IS the library. It can have malware whether you install it via npm or manually.

In this case, attackers included a package install script to install the RAT. A direct download couldn't do that, but it could contain other malicious code.

Npm has an automatic audit for vulnerable versions, unlike direct downloads.

But how much damage was done, other servers could have been hit as well. Depending on how the malware was written.

That wasn't what I meant. This is a serious attack. My point was that there's nothing to wait for because the compromised versions were removed over 24 hours ago.

I have never even used NPM.

Ok, but the rest of the industry does. And you still use other package managers, such as Composer and, presumably, some Linux package manager. Those have suffered supply chain attacks just like this.

While these attacks are a nasty, in the real world you can't get away with a zero trust approach. You're relying on many layers of software just to run a web app. It takes vigilance.

Until it's resolved I wouldn't even trust NPM.

It was resolved long before this thread. The compromised version was up for 3 hours.

The lead maintainer's account was hacked, allowing the attacker to upload the compromised version.

It's not feasible to "not trust" package managers, be it npm, composer or pip. Downloading libraries directly from a CDN definitely isn't any safer.

How are you using the policy? Show your code.

https://laravel.com/docs/13.x/authorization#authorizing-actions-using-policies

Have you started reading the documentation? It explains the basics.

200 is not a redirect response.

When a browser receives a 302, it automatically redirects to the url in the Location header. That url may then return a 200.

If you see a 200 response, it's probably where you got redirected to. You need to preserve logs in the dev tools to see the intermediate redirection.

View the page source. If you see fully rendered html, SSR works. If you see an empty div in the body, it's not working.

Note that only the first page is rendered on the server, and other pages are rendered client-side when you navigate to them. This is by design.

In addition to queue workers, any Laravel worker that needs to be running all the time: Reverb, Pulse, Inertia's SSR server, etc.

You shouldn't add system services such as Nginx, MariaDB, or PHP-FPM. Those are already managed by systemd.

In addition to queue workers, any Laravel worker that needs to be running all the time: Reverb, Pulse, Inertia's SSR server, etc.

You shouldn't add system services such as Nginx, MariaDB, or PHP-FPM. Those are already managed by systemd.

what are you on about?

I have read the post, sure ... nothing is talking about this.

Then you didn't understand what you read.

They posted screenshots from laravel.com, the official website of Laravel.

Why do you have the FlightController class inside the UserController.php file ?

They don't. Laravel.com has.

Read the post.

They mixed up FlightController and UserController. It uses a $user variable that doesn't exist.

laravel.com

If you don't see it, they may be doing canary testing before full roll-out.

It's just sloppiness. I'm sure they'll fix it soon.