search

orchidsoftware / platform

Orchid is a @laravel package that allows for rapid application development of back-office applications, admin/user panels, and dashboards.
https://orchid.software
MIT License
4.26k stars 631 forks source link

Fetch Requests in Laravel Orchid Package Not Using HTTPS in Production #2690

Closed kevlongalloway closed 10 months ago

kevlongalloway commented 11 months ago

Description

In my production environment, I am encountering an issue with the Laravel Orchid package where the orchid.js file is making fetch requests using HTTP instead of HTTPS. This is causing access control errors in the browser due to mixed content, resulting in the inability to load resources securely.

Expected Behavior

Fetch requests made by the orchid.js file should use HTTPS protocol in a production environment to ensure secure communication between the client and the server.

Actual Behavior

Currently, the fetch requests initiated by the perform() function in the orchid.js file are using HTTP protocol, leading to mixed content errors and access control checks.

Steps to Reproduce

Deploy a Laravel Orchid application in a production environment with HTTPS enabled. Observe the network requests made by the orchid.js file and notice that they are using HTTP instead of HTTPS.

orchid.js

async perform() {
// ... existing code ...

    try {
        this.delegate.requestStarted(this);
        const e = await fetch(this.url.href, t); // This line is making requests using HTTP
        return await this.receive(e);
    } catch (t) {
        // ... error handling ...
    } finally {
        this.delegate.requestFinished(this);
    }
}

Additional Information

Laravel Orchid version: 14.8 Laravel version: 10.2 PHP version: 8.1.6 Browser: Chrome Operating System: Mac OS

Proposed Solution

The fetch requests initiated by the perform() function in the orchid.js file should be updated to use HTTPS protocol when making requests in a production environment. This will ensure secure communication and avoid mixed content errors.

Impact

This problem is resulting in access control errors and hindering the smooth operation of the application within a production environment that employs HTTPS. I am currently facing this issue specifically on the login page, where clicking the login button leads to a prolonged loading state and triggers an error message in the console. Interestingly, if I manually navigate to the "/admin" URL, I am able to successfully log in. Given these circumstances, it is imperative to rectify this matter promptly to uphold the security and dependability of the application.

Filipponik commented 10 months ago

Same problem, I used \Illuminate\Support\Facades\URL::forceScheme('https'), but redirects still not working correctly

tabuna commented 10 months ago

The issue you are facing is not directly related to the Laravel Orchid package itself but rather the configuration of your web server. Laravel relies on the Symfony routing package, which determines whether to use HTTP or HTTPS based on the global variable $_SERVER['HTTPS'].

To resolve this issue, you need to ensure that your web server correctly sets the value of $_SERVER['HTTPS'] to 'on' when serving the Laravel application. This configuration ensures that Laravel uses HTTPS for its requests.

As the author of the Laravel Orchid package, I cannot directly affect your environment or make changes to your web server configuration. This issue can be resolved by correctly configuring your web server to serve the Laravel application using HTTPS.

Duplicate:

upsmod commented 9 months ago

https://stackoverflow.com/a/62111949/2420984 That is works fine!