framework: Laravel generating two different Signatures and causing a 403.

  • Laravel Version: 5.7.*
  • PHP Version: 7.2
  • Database Driver & Version: NA

Description:

I am generating a URL for someone to use to quickly access a page, but every time I generate a SignedRoute and navigate to it I get a 403 Invalid Signature

I’ve checked this by dumping out the variables within UrlGenerator

"5958bba0a1843035a7514bdb12240f5d87ad1414d2c18f8676d867116b1945cc" (original) "0a62b4e9bee046c02c07136c10b5e1e1924b2ede7034c65966ff5103d507f5e9" (generated 2nd)

TargetURL: http://psgateway.eu.ngrok.io/autologin?cart=34&user=2

I’ve got nothing in place to modify the URL and I’m using a base install of Valet to serve the site, would anyone be able to provide some assistance with this? (i can’t find anything referencing this issue on google, and larachat on slack is very slim on knowledge with SignedRoutes.)

About this issue

  • Original URL
  • State: closed
  • Created 6 years ago
  • Comments: 24 (10 by maintainers)

Commits related to this issue

Most upvoted comments

Ok I think I’ve finally solved this issue, its related to the UrlGenerator. it seems that the $request->url() function doesnt respect https and will return a http based url. I would probably put forward a a change to use url()->current() to get the url that way which does enforce the protocol that is being passed through.

public function hasValidSignature(Request $request, $absolute = true)
  {

      $url = $absolute ? url()->current() : '/'.$request->path();

      $original = rtrim($url.'?'.Arr::query(
          Arr::except($request->query(), 'signature')
      ), '?');

      $expires = $request->query('expires');

      $signature = hash_hmac('sha256', $original, call_user_func($this->keyResolver));

      return  hash_equals($signature, (string) $request->query('signature', '')) &&
             ! ($expires && Carbon::now()->getTimestamp() > $expires);
  }
+2
agentmarine on Feb 27, 2019

Have you tried disabling the URL::forceScheme('https'); and using APP_URL=http://psgateway.eu.ngrok.io ?

+1
driesvints on Dec 13, 2018
Read more comments on GitHub
← framework: Laravel 6.3 Action Facade\Ignition\Http\Controllers\ShareReportController not defined
framework: laravel PDO invalid attribute exception with PHP 8.2.9/8.1.22 →