Hitting 403 page when clicking verify link in email using new Laravel Verification (5.7)

Haven't really faced anything similar, but I don't really use Heroku.

Might it be something particular to Heroku?

I use Laravel Forge and have email verification working on about 3 live apps right now.

Yes, it could be Heroku, I just don't even know what to check at this point?

• I verified all the env variables are correct.
• I verified that the root is correct /public
• I checked to make sure the URLs are right in the email and include https.

Every time I try to click the link in the verification email it takes me to 403 page.

The Email verification feature in Laravel uses the new Signed Routes feature introduced in 5.7.

Maybe that could be an issue also? It would make sense since you're getting a Forbidden error, so maybe the signed route isn't being validated correctly?

I'm just guessing right now to be honest. : /

I had that thought as well and was digging through the core code to see if I could spot anything.

I just made some progress though. On Heroku, I have my APP_ENV variable set to "staging" and in my local env I have it set to "local", when I changed the APP_ENV to "local" on Heroku it worked.

So I checked through my code and I have this code in my AppSerivceProvider:

if ($this->app->environment() == 'production' || $this->app->environment() == 'staging') {
            URL::forceScheme('https');
}

So if I bypass that code (by changing env to local), it works. But if I don't have this code, none of my CSS/JS files work because they are served as http and the heroku server is https.

I think I'm getting closer. Just need to figure out how to get email verification working along with my asset files.

Ok, that did the trick. I removed that code from the AppServiceProvider and its working now.

Anyone know how to get the asset() view function to return secure urls?

it's returning http instead of https for my app.css and libs.css links.

<link rel="stylesheet" href="{{ asset('css/app.css') }}">
<link rel="stylesheet" href="{{ asset('css/libs.css') }}">

My APP_URL includes "https", but all the laravel generated URLs are all http and not https.

The original problem could be because your app_url is not set to https:// ?

There is a secure_asset() helper

No, I have my APP_URL with "https" in it. Good idea to check there though. That could have been a cause.

I was able to finally figure it out.

It had to do with the TrustProxies middleware.

I was able to put my forceScheme HTTPS code back into the AppServiceProvider and its all working again.

I had to set my TrustProxies Middleware as follows:

protected $proxies = '*';

protected $headers = Request::HEADER_X_FORWARDED_AWS_ELB;

Since all the traffic to the Heroku server is coming from a Heroku load balancer, it wasn't looking at the request as secure. Once I updated these two lines in the middleware it started working.

Here is where I found the solution: https://devcenter.heroku.com/articles/getting-started-with-laravel

It's also documented on laravel.com too: https://laravel.com/docs/5.7/requests#configuring-trusted-proxies

It's at the very bottom/end of the post.

Thanks @wilburpowery and @Snapey for your attempts to help.

Thank you ProfessorGT, I had this same problem...

@PROFESSORGT - I'm sorry for posing on an "older" thread but I think I have the same issue on another hosting (locally working, production having a 403), and I am pretty much lost when it comes to coming up with a solution. Maybe setting the right headers would work but I can't really be sure about it.

Could anyone guide me in the right direction regarding headers, knowing that proxies = '*' didn't solve the problem itself.

I guess I want to say that any advice on this topic would be appreciated :D