Folders API return a 403 unauthorized when accessing using "viewLogViewer" Gate (User null)
denistorresan opened this issue · 2 comments
Hello,
I found a problem related to API call when APP_ENV = production.
I configured Auth in this way:
- On AppServiceProvider.php I added the following code:
public function boot(): void {
Gate::define('viewLogViewer', function (?User $user) {
var_dump($user); // <-- this is null only when called from /api/folders AJAX call.
return $user && $user->hasRole('administrator');
});
}
This works great when I try to access the /log-viewer routes, but there's some AJAX call inside this page like "/api/folders?direction=desc" that goes on 403 unhautorized because $user is null.
The log-viewer.php configuration about middlewere is the default:
'middleware' => [
'web',
\Opcodes\LogViewer\Http\Middleware\AuthorizeLogViewer::class,
],
/*
|--------------------------------------------------------------------------
| Log Viewer API middleware.
|--------------------------------------------------------------------------
| Optional middleware to use on every API request. The same API is also
| used from within the Log Viewer user interface.
|
*/
'api_middleware' => [
\Opcodes\LogViewer\Http\Middleware\EnsureFrontendRequestsAreStateful::class,
\Opcodes\LogViewer\Http\Middleware\AuthorizeLogViewer::class,
],
In the following screenshot I'm able to reach the log-viewer page, but the AJAX call fails.
hey @denistorresan , make sure your APP_URL
matches the domain:port that you're browsing. From the screenshot I can see it's localhost:8100
, so make sure that's the value of APP_URL
.
Alternatively, you can also set LOG_VIEWER_API_STATEFUL_DOMAINS
environment variable with a comma-separated list of allowed domains (with ports if other than 80/443). For example:
LOG_VIEWER_API_STATEFUL_DOMAINS=localhost:8100,localhost,localhost:8080,myapp.test
Just FYI, I have added the above to the docs as well, hopefully will help newcomers when setting up Log Viewer to be used in production or any non-standard local setup:
https://log-viewer.opcodes.io/docs/3.x/configuration/route-and-domain#production-domains