I installed Log Viewer in my laravel 11 protect, and works like a charm. But i want to limit who has access to the Log Viewer in production.
So,i create a middleware
<?php
namespace App\Http\Middleware;
use Closure;
use Illuminate\Http\Request;
use Illuminate\Support\Facades\Auth;
class ViewLogs
{
public function handle(Request $request, Closure $next)
{
if (Auth::check() && Auth::user()->hasRole('admin')) {
return $next($request);
}
abort(401, 'Unauthorised');
}
}
Add the following to $middlewareAliases array In app\Http\Kernel.php
'view-logs' => \App\Http\Middleware\ViewLogs::class,
And add middleware to the the log viewer config
/*
|--------------------------------------------------------------------------
| Log Viewer route middleware.
|--------------------------------------------------------------------------
| Optional middleware to use when loading the initial Log Viewer page.
|
*/
'middleware' => [
'web',
'view-logs',
\Opcodes\LogViewer\Http\Middleware\AuthorizeLogViewer::class,
],
If i try to debug Auth::check(), it's always return false.
For information, i use Laravel Passport in my project.
Thanks in advance for your help !
I installed Log Viewer in my laravel 11 protect, and works like a charm. But i want to limit who has access to the Log Viewer in production.
So,i create a middleware
<?php
namespace App\Http\Middleware;
use Closure;
use Illuminate\Http\Request;
use Illuminate\Support\Facades\Auth;
class ViewLogs
{
public function handle(Request $request, Closure $next)
{
if (Auth::check() && Auth::user()->hasRole('admin')) {
return $next($request);
}
abort(401, 'Unauthorised');
}
}
Add the following to $middlewareAliases array In app\Http\Kernel.php
'view-logs' => \App\Http\Middleware\ViewLogs::class,
And add middleware to the the log viewer config
/*
|--------------------------------------------------------------------------
| Log Viewer route middleware.
|--------------------------------------------------------------------------
| Optional middleware to use when loading the initial Log Viewer page.
|
*/
'middleware' => [
'web',
'view-logs',
\Opcodes\LogViewer\Http\Middleware\AuthorizeLogViewer::class,
],
If i try to debug Auth::check(), it's always return false.
For information, i use Laravel Passport in my project.
Thanks in advance for your help !
Share Improve this question asked Mar 11 at 8:30 ZekuraZekura 3354 silver badges14 bronze badges 7 | Show 2 more comments1 Answer
Reset to default 0The problem is your middleware is called before authorisation:
Route::get('/log'...)->middleware('view-logs');
will not work, while this will
Route::group(['middleware' => [auth:api]], function(){
Route::get('/log'...)->middleware('view-logs');
})
Why it works?
With auth:api or even auth middleware the logged in user appears, while without this middleware you don't have logged in user and checking for Auth::check() will always be false. That is expected behaviour.
Can it be done even better?
Yes, if you are using spatie/laravel-permissions, and ->hasRole() make me think you are. Then you can get rid of self written middleware and use this.
Route::get('/log...', [...Controller::class, 'index'])->middleware('role:admin');
Auth::guard('api')instead of justAuth– Hoang Commented Mar 11 at 8:57Auth::guard('api')but it's return false – Zekura Commented Mar 11 at 9:00LOG_VIEWER_API_STATEFUL_DOMAINS. You should also add your middleware to the configapi_middlewareand check the api request to see the token is being send or not – Hoang Commented Mar 13 at 3:22