0

I installed Log Viewer in my laravel 11 protect, and works like a charm. But i want to limit who has access to the Log Viewer in production.

So,i create a middleware

<?php

namespace App\Http\Middleware;

use Closure;
use Illuminate\Http\Request;
use Illuminate\Support\Facades\Auth;

class ViewLogs
{
    public function handle(Request $request, Closure $next)
    {
        if (Auth::check() && Auth::user()->hasRole('admin')) {
            return $next($request);
        }

        abort(401, 'Unauthorised');
    }
}

Add the following to $middlewareAliases array In app\Http\Kernel.php

        'view-logs' => \App\Http\Middleware\ViewLogs::class,

And add middleware to the the log viewer config

    /*
    |--------------------------------------------------------------------------
    | Log Viewer route middleware.
    |--------------------------------------------------------------------------
    | Optional middleware to use when loading the initial Log Viewer page.
    |
    */

    'middleware' => [
        'web',
        'view-logs',
        \Opcodes\LogViewer\Http\Middleware\AuthorizeLogViewer::class,
    ],

If i try to debug Auth::check(), it's always return false.

For information, i use Laravel Passport in my project.

Thanks in advance for your help !

Improve this question
7
  • Try Auth::guard('api') instead of just Auth Commented Mar 11 at 8:57
  • i also try Auth::guard('api') but it's return false Commented Mar 11 at 9:00
  • Your issue may relate to this: github.com/opcodesio/log-viewer/issues/362 Commented Mar 11 at 9:37
  • @Hoang so I don't understand the solution, what am I supposed to put as a APP_URL in a dev environment? Commented Mar 12 at 16:05
  • Some thing like localhost. Try to change it also at LOG_VIEWER_API_STATEFUL_DOMAINS. You should also add your middleware to the config api_middleware and check the api request to see the token is being send or not Commented Mar 13 at 3:22

1 Answer 1

Reset to default
0

The problem is your middleware is called before authorisation:

    Route::get('/log'...)->middleware('view-logs');

will not work, while this will

Route::group(['middleware' => [auth:api]], function(){
    Route::get('/log'...)->middleware('view-logs');

})

Why it works?

With auth:api or even auth middleware the logged in user appears, while without this middleware you don't have logged in user and checking for Auth::check() will always be false. That is expected behaviour.

Can it be done even better?

Yes, if you are using spatie/laravel-permissions, and ->hasRole() make me think you are. Then you can get rid of self written middleware and use this.

Route::get('/log...', [...Controller::class, 'index'])->middleware('role:admin');
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.