Is Laravel invisible-recaptcha safe? - laravel

In Laravel 7 / blade app using "albertcht/invisible-recaptcha": "^1.9"
I added rule
'g-recaptcha-response' => 'required|captcha'
to pages with common access as login, regsiter, contact_us
and added captcha in for definition of all these forms, like:
<form method="POST" action="{{ route('login') }}" aria-label="{{ __('Login') }}">
{{ csrf_field() }}
#captcha('en')
Can I consider all these pages safe from externall attacks?
Have I to take some additive steps? If yes, which ?
Thanks!

All captchas will protect your forms only from spam attacks.
There are also many other ways for attacking which you may consider other methods for protecting your forms.
But captcha (even invisible-recaptcha) will protect your forms from spammers.

Related

Difference b/w method="POST" and #method('PUT') in Laravel

I am use a form with attribute method="POST" to update the record in laravel. But updating of record is not working. Then after putting #method('PUT') inside the form, record updating is working fine.
I just want to know about #method('PUT') and when to use it in form of Laravel application.
Not Working
<form action="{{ route('student.update',$studentData->id) }}" method="POST">
...
</form>
Working Fine
<form action="{{ route('student.update',$studentData->id) }}" method="POST">
#csrf
#method('PUT')
...
</form>
The use of #method(...) is called form method spoofing in Laravel and is a requirement because HTML forms do no support PUT, PATCH or DELETE for the method attribute.
The value of the #method is sent as part of the form request and used by Laravel to determine how to process the form submission.
What does your web.php file look like ?
If you're using Route::resource('student', SomeController::class)
POST method will hit your student.create route, while PUT will hit your student.update route.
You can check your routes and their respective methods in detail by running php artisan route:list in your console
See if you are using resource routes for CRUD operation then it will include GET, POST, PUT and DELETE methods so when you are inserting data for first time using form that time you will use POST method and when you are doing update operation that time you have to use #method('put') because resource route will support only put method, you can update using POST also but you have to make separate route for that like we make general post route Route::post(...)

How to integrate Spatie's laravel-permission with JetStream properly?

I have a nicely working basic install of Laravel JetStream and Spatie's laravel-permission in Laravel 8.
I can assign a role to the user during registration via
$user->assignRole('visitor');
return $user;
and can restrict the available menu items on the user's dashboard through the permissions I have assigned to the role in my seeder filés run method:
Permission::create(['name' => 'access profile']);
Permission::create(['name' => 'access logout']);
$visitor = Role::create(['name' => 'visitor']);
$visitor->givePermissionTo('access profile');
and through the can directive in the view, like:
#can('access profile')
<!-- Account Management -->
<div class="block px-4 py-2 text-xs text-gray-400">
{{ __('Manage Account') }}
</div>
<x-jet-dropdown-link href="{{ route('profile.show') }}">
{{ __('Profile') }}
</x-jet-dropdown-link>
#endcan
So by that, I can hide the menu item as per role but unfortunately, I can still access the functionality directly, by knowing the exact URL.
I guess I have to write a middleware to restrict access to certain functions, but how exactly?
What is the proper and accepted way to handle this problem in this stack?
Thanks!
Armand
So everything seems fine BUT (!)
How is it possible to forbid direct access to the hidden items? I guess in this case routes are controlled by sanctum, while roles and permissions are by Spatie's package.
Is it possible to link the two?
Thanks!
Did you try this? It seems like they added exactly the same for Spatie. Nevertheless I think you need to add a gate permission check like
abort_if(Gate::denies('permission'), Response::HTTP_FORBIDDEN, '403 Forbidden');
on every action
I would see if you can utilize laravel's built in can middleware. Then you might be able to update your route definitions. Something like
Route::get('/profile', 'ProfileController#index')->middleware('can:access profile');
I haven't done this with the package you're using, but I think it should work if the other built-in functionality like blade #can work.

Laravel 7 Auto logout when session expired

I would like to logout the page and redirected to the login page when the session expires in Laravel 7. Can any one please help me to do this? Thank you
There is normally this functionality implemented in Laravel. You need a POST request to the '/logout' route with (and therefore a csrf field in your request).
Usually you have in your blade a hidden form for that and a button or a link (it depends on what you use) that activates the sending of the form (with javascript).
For example, in the basic template of laravel we have this:
The form that is hidden:
<form id="logout-form" action="{{ route('logout') }}" method="POST" style="display: none;">
#csrf
</form>
The link used here to allow the user to log out:
<a href="#" onclick="event.preventDefault(); document.querySelector('#logout-form').submit();">

laravel page expired after being idle for long time

I have a website, and users are complaining they got Page Expired after being idle and if they refresh the website it is showing Page Expired. I tried searching and what I'm seing is Page Expired because of the #csrf but in my case I think it's not the problem.
It's working fine, but being idle for a long time is resulting in Page Expired
How can I prevent this?
Laravel version: 7.x
Server: Apache
EDIT:
Now I understand, that if the user is idle for a long time, the session is expired and the laravel is logging out the user. But in my logout it is a POST method as default of Laravel that's why it's page expired because of the token from #csrf
Logout:
<a class="dropdown-item" href="{{ route('logout') }}"onclick="event.preventDefault();
document.getElementById('logout-form').submit();">
{{ __('Logout') }}
</a>
<form id="logout-form" action="{{ route('logout') }}" method="POST" style="display: none;">
#csrf
</form>
first of all make sure you put csrf_token in your form
then you can follow:
as much as i know it is ok that laravel does this after being inactive for a long time
it is because some security problem.
but if you dont want it for some routes you can exclude your route (NOT RECOMMENDED DUE TO SECURITY) in :
app/Http/Middleware/VerifyCsrfToken.php:
protected $except = [
'your/route'
];
i didnt do it myself. test it and see it works or not but it should

CSRF error in laravel

I have a problem in Laravel . when over and over submit Form with post method and somtimes I get error and see expire error that related to CSRF
anybody knows how can I manage this error that display not in site and instead of redirect to any page else ?
Laravel makes it easy to protect your application from cross-site request forgery (CSRF).
Just add #csrf blade directive inside the form to avoid getting csrf token error.
<form method="POST" action="/profile">
#csrf
...
</form>
The directive puts something like this
<input type="hidden" name="_token" value="CzK6peomC6Pnnqdm4NsxpdGSH6v1evDnbN12oL" >
Read more about it in the laravel documentation here https://laravel.com/docs/5.6/csrf
Regarding the expiration of the token I think you might want to handle the error this way https://gist.github.com/jrmadsen67/bd0f9ad0ef1ed6bb594e
Also, there's a package which helps the forms keep awake.
https://github.com/GeneaLabs/laravel-caffeine
I hope that helps.
Laravel 5 using Blades templates, it's easy.
Add csrf toke in your blade file
{{ csrf_token() }}
If you are using Laravel 5.6 then you need to add something like this in your code of the form
#csrf
Check in detail about: CSRF Laravel

Resources