Laravel 5.7签名路由返回403无效签名 [英] Laravel 5.7 signed route returns 403 invalid signature
问题描述
我试图利用Laravel 5.7中新的签名中间件,但是由于某种原因,生成的签名URL返回403无效签名.
I'm trying to take advantage of the new signed middleware in Laravel 5.7, but for some reason the generated signed URL is returning 403 Invalid Signature.
我正在使用最新的Laravel版本以及PHP 7.2
I'm using the latest Laravel Version, with PHP 7.2
这是我的web.php路由:
This is my web.php route:
Route::get('/report/{user}/{client}', function ($user, $client) {
return ("El usuario es: $user y el cliente es: $client");
})->name('report.client')->middleware('signed');
这是在我的控制器中:
$objDemo->tempURL = Url::temporarySignedRoute('report.client', now('America/Panama')->addDays(5), [
'user' => 1,
'client' => 1
]);
URL已生成,并显示如下内容:
The URL is generated and shows something like this:
但是当我单击链接时,结果是403,并显示以下消息:无效签名"
But when i click the link the result is a 403 with the message: "Invalid signature"
有什么想法吗?预先感谢
Any ideas? thanks in advance
----------- UPDATE ------------
-----------UPDATE------------
我已经做过的事情:
- 尝试未签名的路线,效果很好
- 尝试不带参数且仅签名的路线
- 尝试不设置临时路线而仅进行签名的路线
- 将cloudflare的ip设置为受信任的代理
- 禁用HTTPS,启用HTTPS
似乎什么都没用,总是得到403无效的签名页
Nothing seems to work, always getting the 403 invalid signature page
-----------更新2 ------------
-----------UPDATE 2------------
好,所以在进行一些挖掘和测试之后,我发现,如果用户登录,laravel签名的路由将不起作用,这很奇怪,如果我注销,则该路由可以正常工作,但是如果我登录了-然后显示403错误,这可能是因为Laravel在其他所有内容之后添加了会话Cookie标头吗?所以签名的路由会因此而失败?就是这样吗?
很奇怪,因为我想为我的用户创建一个临时链接以下载内容,如果他们登录到我的Laravel应用中,他们将收到此403错误消息...:(
------------更新3 ------------------
------------UPDATE 3------------------
我尝试在全新安装的laravel中运行并且完美运行,因此它来自我的主要Laravel应用,还尝试将每个作曲家依赖项安装到Laravel的全新安装中,无论用户登录状态如何,它仍然可以完美运行,因此这与我的依赖关系没有冲突.
I tried in a fresh installation of laravel and worked perfectly, so it's something from my main Laravel app, also tried to install every composer dependency into the Fresh installation of Laravel, and still worked perfectly no matter the user login status, so it's not a conflict with my dependencies.
推荐答案
在调试UrlGenerator :: hasValidSignature()之后,我以DD结束了UrlGenerator.php中的变量,如下所示:
After debugging UrlGenerator::hasValidSignature(), i ended by DD the variables inside UrlGenerator.php like this:
public function hasValidSignature(Request $request, $absolute = true)
{
$url = $absolute ? $request->url() : '/'.$request->path();
//dd($url);
$original = rtrim($url.'?'.Arr::query(
Arr::except($request->query(), 'signature')
), '?');
dd($original);
$expires = Arr::get($request->query(), 'expires');
$signature = hash_hmac('sha256', $original, call_user_func($this->keyResolver));
return hash_equals($signature, (string) $request->query('signature', '')) &&
! ($expires && Carbon::now()->getTimestamp() > $expires);
}
$original变量向我显示了URL实际发生的情况,并显示了此信息:
the $original variable showed me what was actually happening with my URL, and showed this:
https://example.com/report/1/1?expires=1546586977&settings%5Bincrementing%5D=1&settings%5Bexists%5D=1&settings%5BwasRecentlyCreated%5D=0&settings%5Btimestamps%5D=1&profile%5Bincrementing%5D=1&profile%5Bexists%5D=1&profile%5BwasRecentlyCreated%5D=0&profile%5Btimestamps%5D=1&user%5Bincrementing%5D=1&user%5Bexists%5D=1&user%5BwasRecentlyCreated%5D=0&user%5Btimestamps%5D=1
如您所见,expires参数后面有一些参数,而在创建路由之后这些参数就添加了,这就是问题所在,这是因为我有一个中间件向这样的视图共享了一些信息:
as you can see there are parameters after the expires parameter, those parameter where aded after the route creation, and that was the problem, this happened because i had a middleware sharing some information to the views like this:
UserDataMiddleware.php
<?php
namespace App\Http\Middleware;
use Closure;
use Illuminate\Support\Facades\Auth;
use App\User;
use App\Setting;
use App\UserProfile;
use Illuminate\Support\Facades\View;
class UserData
{
/**
* Handle an incoming request.
*
* @param \Illuminate\Http\Request $request
* @param \Closure $next
* @return mixed
*/
public function handle($request, Closure $next)
{
if (Auth::check()) {
$settings = Setting::where('user_id', Auth::user()->id)->first();
$profile = UserProfile::where('user_id', Auth::id())->first();
$user = Auth::user();
View::share('settings', $settings); //Another way to share variables, with the View::share
View::share('profile', $profile);
//Now we need to share owr variables trough the REQUEST to our controllers
$request->merge([
'settings' => $settings,
'profile' => $profile,
'user' => $user
]);
}
return $next($request);
}
}
该中间件位于中间件组中,所以这是一个问题,如果将来有人尝试该问题,那么它可以首先进行检查.
this middleware was inside the middleware groups, so that was the problem hopefully if someone in the future experiments this, then it could check that first.
这篇关于Laravel 5.7签名路由返回403无效签名的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
