search

opcodesio / log-viewer

Fast and beautiful Log Viewer for Laravel
https://log-viewer.opcodes.io
MIT License
3.49k stars 250 forks source link

Folders API return a 403 unauthorized when accessing using "viewLogViewer" Gate (User null) #366

Closed denistorresan closed 4 months ago

denistorresan commented 5 months ago

Hello, I found a problem related to API call when APP_ENV = production. I configured Auth in this way:

1) On AppServiceProvider.php I added the following code:

    public function boot(): void  {
        Gate::define('viewLogViewer', function (?User $user) {
            var_dump($user);  // <-- this is null only when called from /api/folders AJAX call.

            return $user && $user->hasRole('administrator');
        });
    }

This works great when I try to access the /log-viewer routes, but there's some AJAX call inside this page like "/api/folders?direction=desc" that goes on 403 unhautorized because $user is null.

The log-viewer.php configuration about middlewere is the default:

    'middleware' => [
        'web',
        \Opcodes\LogViewer\Http\Middleware\AuthorizeLogViewer::class,
    ],

    /*
    |--------------------------------------------------------------------------
    | Log Viewer API middleware.
    |--------------------------------------------------------------------------
    | Optional middleware to use on every API request. The same API is also
    | used from within the Log Viewer user interface.
    |
    */

    'api_middleware' => [
        \Opcodes\LogViewer\Http\Middleware\EnsureFrontendRequestsAreStateful::class,
        \Opcodes\LogViewer\Http\Middleware\AuthorizeLogViewer::class,
    ],

In the following screenshot I'm able to reach the log-viewer page, but the AJAX call fails.

2024-04-24_12h40_49

arukompas commented 5 months ago

hey @denistorresan , make sure your APP_URL matches the domain:port that you're browsing. From the screenshot I can see it's localhost:8100, so make sure that's the value of APP_URL.

Alternatively, you can also set LOG_VIEWER_API_STATEFUL_DOMAINS environment variable with a comma-separated list of allowed domains (with ports if other than 80/443). For example:

LOG_VIEWER_API_STATEFUL_DOMAINS=localhost:8100,localhost,localhost:8080,myapp.test
arukompas commented 4 months ago

Just FYI, I have added the above to the docs as well, hopefully will help newcomers when setting up Log Viewer to be used in production or any non-standard local setup:

https://log-viewer.opcodes.io/docs/3.x/configuration/route-and-domain#production-domains