Currently if you set the enable-existing-media config value to true the following endpoint is open for everyone without authentication:
https://your-laravel-app.test/nova-vendor/ebess/advanced-nova-media-library/media
This endpoint exposes all images in your application. Of course this should not happen and is a security risk.
Currently if you set the
enable-existing-mediaconfig value totruethe following endpoint is open for everyone without authentication:https://your-laravel-app.test/nova-vendor/ebess/advanced-nova-media-library/mediaThis endpoint exposes all images in your application. Of course this should not happen and is a security risk.This happens because sadly Laravel Nova does not protect API routes with the
Laravel\Nova\Http\Middleware\Authenticatemiddleware by default. Reference: https://github.com/laravel/nova-issues/discussions/5496This PR adds the Nova authenticate middleware so the API routes are only accessible by Nova authenticated users.