Level 13
bump.
Aug 17, 2024
10
Level 13
laravel middleware order (auth sanctum)
I'm using a small middleware to ensure all requests to /api* are answered by JSON by laravel (enforcing JSON).
class ForceJsonResponse
{
public function handle($request, Closure $next)
{
//only to see if called
dd("called");
//force JSON response from API
$request->headers->set('Accept', 'application/json');
$request->headers->set('Content-Type', 'application/json');
return $next($request);
}
}
First of all I tried to use this middleware directly inside Kernel.php under $middlewareGroups like this:
'api' => [
\Laravel\Sanctum\Http\Middleware\EnsureFrontendRequestsAreStateful::class,
'throttle:api',
\Illuminate\Routing\Middleware\SubstituteBindings::class,
\App\Http\Middleware\ForceJsonResponse::class,
],
My routes file (middleware) at this moment:
Route::middleware(['auth:sanctum', 'throttle:sanctum_token_limit'])->group(function () {
//API Routes
});
I was able to see the middleware is never called when a user is unauthenticated (I expect the output to be called, even if the user is NOT authenticated) / no bearer token is present in request.
I tried to include the ForceJsonResponse middleware directly into the middleware() call of route, because so I thought I can enforce the order of the middleware are being used, so I ended up by using this inside Kernel
'api' => [
\Laravel\Sanctum\Http\Middleware\EnsureFrontendRequestsAreStateful::class,
'throttle:api',
\Illuminate\Routing\Middleware\SubstituteBindings::class,
],
];
protected $routeMiddleware = [
'forceJson' => \App\Http\Middleware\ForceJsonResponse::class,
Inside my middleware() of routes I called it like:
Route::middleware(['forceJson', 'auth:sanctum', 'throttle:sanctum_token_limit'])->group(function () {
//routes...
}
This doesn't call my custom ForceJsonResponse middleware too, where did things go wrong?
Level 122
why not just tell Laravel to return a json response?
Your API consumer should set the header Accept: Application/json
Level 13
@snapey open to any auggestions, I wasn't able to find an easy way to do this (only for all api routes). Is there an easy way to archive this and set the requested order?
I know I could set both headers on webserver too for all api* routes but I would like to keep the logic inside laravel.
Level 13
@snapey just for your records :)
see https://github.com/laravel/sanctum/issues/162#issuecomment-1860443876
Solved by this post, referencing it inside the api middlewaregroups and NOT inside the constructor of class or inside the route definition fixed the problem.
Level 122
@t0berius but you shouldn't be allowing requests to your api route that dont say what they want. By this middleware you are saying, I don't give a F what you want, Im giving you json.
If it was a good idea it would be in the framework.
You are also saying I dont give a F what you are sending me, Im going to pretend its json. Then I'm going to tuck this code away so no one can work out whats going on in the future.
Level 75
@t0berius use some good virus and malware software if you aren't following what @snapey posted.
Edit:
To anyone seeing this:
As I have said in the past, laravel is a very secure framework but only when setup correctly, and proper security implemented.
However when not implemented correctly, well it becomes very unsecure.
If someone does not understand what they are doing, they need to:
- have a professional do it
or
- properly learn first which takes time
Level 13
The only format the API supports is JSON, so why should the client define it on each request, if the whole API only supports JSON, open to any suggestions and explanations in detail.
@jlrdw Please explain to me how the header should allow to upload files when no logic is in place to store this files on the server. Please stop spreading panic.
Not expecting any security report from your side showing a way to gain access anyways.
Level 13
please specify some details about. F5 loadbalancers f.e. are providing such a feature to protect API routes by limiting the headers to f.e. JSON headers, I'm just doing this on the application side. Be rest assured the validation of the input is performed using default laravel rules.
Level 75
Level 13
@jlrdw Thank you, be rest assured I perform checks on the request received from the client. All data is verified using laravel default validation rules.
From my point of view (if you validate client data, which you always should), there's no problem in general.
Please or to participate in this conversation.