Ziggy expose all laravel routes

@Sinnbeck yeah i've seen this one but is there any way to not showing routes?

The best way to avoid exposing any routes is to not use Ziggy

@Dhamo If they users are able to use every single route anyways, I dont see that big a problem. Of course they get a tiny bit of domain knowledge by seeing required parameters, but most of the time those can be guessed based on how they look anyways.

@Dhamo that is up to you to decide. It is certainly more convenient for the malicious user, but most/all of these routes are exposed anyway through links, form actions etc. The idea of the filter is to limit the Ziggy routes only to the ones needed by your Javascript application, which will (again) be available to the malicious in the javascript src directly

@Dhamo It's wrong ... The filtered routes will work, but you just can't use their names with Ziggy.

What's important is to filter the routes so that you hide the routes that are not used from the frontend.

Then, no matter if you expose the routes that are used, once you use them, with their names with Ziggy or without their names, the routes can be guessed.

@abdusalam10 from what I can tell this is very common, most spa app pages you can see all the props that javascript needs to render the page correctly & interactively. Your concerns are valid, if you do not have very good fundamentals in security, authorisation, using middleware & gates you will likely not be securing your routes entirely so that having the route names & props exposed will give people an opening. However, if you are at the level of using Vue & Inertia then this should not be a problem.

I think the issue is a lot of people (myself included) who are new to Laravel & are doing research, see a lot of cues pointing them to towards diving into using Vue & Inertia and the learning curve is too steep & this is a concern as you won't have learnt the basics to ensure your application is secure on the backend.

It took me a while to admit it, but I had to just realise I had to go to the basics and build up from their. I suggest that if you are starting out, complete the Laravel 8 from Scratch tutorial which focuses on blade for the frontend & keeps that side of things simple to ensure that the backend Laravel skills are honed.

@coder-manjeet Yes they are, by design. How could Ziggy use the routes if it didn't know about them?

It's not a security issue. But if you don't want them in the client, you can configure Ziggy to expose only specific routes, or you can remove Ziggy and just use hardcoded URLs in your code.

@coder-manjeet Right? Why have you replied to a 2-year-old topic to add absolutely no new information?

@jussimannisto I thank you for replying,

Apologies for my incomplete context in my question.

I was working on a project when I noticed this and I never worked with ziggy before, we need to make sure, we should only expose the routes based on the access level to public or private routes.

For that I updated only the config/ziggy.js configuration and app/Middleware/HandleIneritiaRequests.php grouping technique, but still the unwanted routes was getting exposed in the js code on frontend, because I missed the last step to role based exposing the routes in app.blade.php. After this step it was working as expected:

{{-- Expose routes based on current user context --}}
@auth
    @if (auth()->user()->hasRole('super-admin'))
        @routes('admin')
    @else
        @routes('user')
    @endif
@else
    @routes('guest')
@endauth