I've been trying to email users a verification link using signed URLs in Laravel. It seems to work okay, but the link comes out incorrect when it is built using the URL facade.
public function toMail($notifiable)
{
$url = URL::signedRoute('confirm', ['user' => $this->user->id]);
return (new MailMessage)
->subject('Activate your email address')
->line('In order to use the application, please verify your email address.')
->action('Activate your account', $url)
->line('Thank you for using our application!');
}
In the email, the link looks like:
http://localhost/mydomain.com/confirm/14?signature=3ba4d86827717440f70a3b2f60c913b6e84d550cb9fce8de04a8ba359833ac7c
The "localhost" part should not be there. However, if I manually delete it in the URL bar, I believe the signed URL things I manipulated the URL and gives me a 401 error. I am running on a localhost environment but I use Laragon's auto virtual host so that I can still run it with a domain.
Any suggestions?
Sometimes if you are working in virtual environments or docker container, just setting APP_URL won't work. Try the following steps.
Step 1: Set your domain in your .env file. (Don't forget the double quotes)
APP_URL="http://yourdomain.com"
Step 2: Add following line before generating your signed route
URL::forceRootUrl(\config('app.url'));
Step 3: (Optional) Add following line, if you want to force https scheme
URL::forceScheme('https');
Change:
APP_URL=example.com
To:
APP_URL=http://example.com
I guess not specifying "http://" makes it append localhost to the front. Hope this helps someone!
Related
My server uses SSL and thus all my routes/urls use https. I recently discovered a bug in Laravel 5.7 which was exposed when trying to use Email Verification, which does not work on a server with https. I wont go into the specifics of that problem as I have another question for that. I want to keep this simple.
I have the following settings in my .env file:
APP_USE_HTTPS=true
APP_URL=https://www.example.com
APP_ENV=production
And I have the following in the boot() method of the AppServiceProvider
if (env('APP_USE_HTTPS')) {
Log::info('AppServiceProvider: forcing URLs to use https');
URL::forceScheme('https');
}
And it may be overkill but to try to resolve the issue I also put the following code at the top of my web.php routes file"
if (env('APP_USE_HTTPS')) {
Log::info('Routes: forcing URLs to use https');
URL::forceScheme('https');
}
Route::get('/', 'PublicController#getHome');
Route::get('home', 'PublicController#getHome');
Then in my PublicController.getHome() method I put this code:
public function getHome()
{
$currentPath= Request::fullUrl();
Log::info($currentPath);
return view('public.home');
}
Now I go to my browser and enter this in the address bar:
https://www.example.com
And I get this in my log file:
AppServiceProvider: forcing URLs to use https
Routes: forcing URLs to use https
http://www.example.com
So as you can see from the last log message the fact that laravel always uses http instead of https is beginning to create issues. Starting with signed routes. I am trying to use the built-in Email Verification but the signature is being generated using https route and the email sent to user does have https in the url for going back to the same server. However the validation for the route is using http (even though https was used) so it generates a different signature and thus all verifications links fail with a 403 error.
Is there anything I am missing? I can't seem to find code that shows me how Laravel knows to use https or http or is it just hard coded for http?
Thanks for any help you can give me.
*** Update to show problem with Shaielndra Gupta answer ****
After implementing the middleware below is the code I used but as you will see the core problem exists in ALL methods dealing with url. So for example:
$request->secure()
returns false even when https was used. Then by calling:
redirect()->secure($request->getRequestUri());
does no good because that will cause the route to loop back into this method again which still returns false for secure(), basically creating an infinite loop (or infinite too many redirects)
class ForceHttpsProtocol {
public function handle($request, Closure $next) {
Log::info('request uri: '.$request->fullUrl());
Log::info('secure: '.($request->secure() ? 'yes' : 'no'));
if (!$request->secure() && env('APP_USE_HTTPS')) {
return redirect()->secure($request->getRequestUri());
}
return $next($request);
}
}
The log from the above code will produce the following when you make 1 attempt to go to any page even when using https://www.example.com
request uri: http://www.example.com
secure: no
request uri: http://www.example.com
secure: no
request uri: http://www.example.com
secure: no
request uri: http://www.example.com
secure: no
< over and over till page times out >
After much research I finally discovered what the issue is.
My live server is installed on an Amazon EC2 server which is behind a Load Balancer.
The load balancer is receiving the (https) request and handling all the SSL requirements and then forwarding the request to my website as http.
To fix this issue I had to install the fideloper/TrustedProxy package. This package allows my site to trust the proxy and get the valid headers for the request so it now knows the request was actually sent using https.
Laravel wrote an article which describes my condition exactly.
https://laravel-news.com/trusted-proxy
This is the package I installed:
https://github.com/fideloper/TrustedProxy
change in your config/session.php
'http_only' => true,
change it to
'http_only' => false,
or make a middlewere HttpsProtocol.php
namespace MyApp\Http\Middleware;
use Closure;
use Illuminate\Support\Facades\App;
class HttpsProtocol {
public function handle($request, Closure $next)
{
if (!$request->secure() && App::environment() === 'production')
{
return redirect()->secure($request->getRequestUri());
}
return $next($request);
}
}
Then, apply this middleware to every request adding setting the rule at Kernel.php file in protected $routeMiddleware array,
'https'=>App\Http\Middleware\HttpsProtocol::class
change This
APP_USE_HTTPS=true
APP_URL=https://www.example.com
to this
APP_URL=http://www.example.com
APP_USE_HTTPS=false
Because Laravel uses APP_URL to generate urls.
I implemented email verification in a Laravel 5.7 project I'm working on. I get the email, but whenever I click on the confirm button or even the url provided in the email, I get a 403 forbidden error.
I have searched for several solutions, but haven't been able to find one to this problem. The only reasonable pointers to this error is this github issue https://github.com/laravel/framework/issues/25716 which has been merged and closed by Taylor Otwell by still this problem persists.
Here's the email I get:
Here's the error it throws when I click on the button or the actionUrl at the email footer: and here's the url shown when the 403 page is displayed https://www.mywebsite.com/email/verify/1?expires=1540140119&signature=fd7dc72b05da6f387b2f52a27bceee533b2256436f211930c1319c7a544067da
Please help me. Thank you
Edits: This problem occurs only in production app. On local, this email verification works but throws 403 on production(live) server. My email service is mailgun, and I can access every other email contents relating to the app except completing email verification.
I need help please. Thanks in anticipation
One of the reasons that was in my case can be that you are already logged in with a normal verified user, and you have clicked on the verification email link. In that case it will shoot 403 . Which is not normal in my opinion, but whatever.
For me because manually create verification route. which in laravel 6.x or 7.x The route path for verifying emails has changed. from /email/verify/{id} to /email/verify/{id}/{hash} This probably only happens because I use the rules manually, and not Auth::routes(['verify' => true])
for more information laravel upgrade guide upgrade#email-verification-route-change
This typically occurs if your application is running behind some proxies and probably doesn't handle SSL termination itself.
The solution is to add
protected $proxies = '*';
to the TrustProxies middleware.
Reference: https://laracasts.com/discuss/channels/laravel/hitting-403-page-when-clicking-verify-link-in-email-using-new-laravel-verification-57?page=1
Turns out, this often happens when you have your laravel app running behind a proxy (apache, nginx etc.) We therefore end up replacing laravel's default 'signed' middleware with our own middleware that checks for https:// links. This StackOverFlow answer here was able to fix this problem for me:
Signed route for email verification does not pass signature validation
To use Laravel email verification you must first add the proper routes.
If you take a look at Illuminate/Routing/Router.php you'll see that by default the verify route is disabled.
if($options['verify'] ?? false)
{
$this->emailVerification();
}
To enable your verification routes add the following to your web.php
Auth::routes(['verify'=>true]);
Then run
php artisan route:list
to make sure that it's working.
Check the verify method inside the VerifiesEmails trait,
there they have:
if (! hash_equals((string) $request->route('hash'), sha1($request->user()->getEmailForVerification()))) {
throw new AuthorizationException;
}
I have dumped this variable $request->route('hash') and it was null, so I overrided it in the VerificationController:
/**
* Mark the authenticated user's email address as verified.
*
* #param \Illuminate\Http\Request $request
* #return \Illuminate\Http\Response
* #throws \Illuminate\Auth\Access\AuthorizationException
*/
public function verify(Request $request)
{
if (! hash_equals((string) $request->route('id'), (string) $request->user()->getKey())) {
throw new AuthorizationException;
}
if (! hash_equals((string) $request->query('hash'), sha1($request->user()->getEmailForVerification()))) {
throw new AuthorizationException;
}
if ($request->user()->hasVerifiedEmail()) {
return redirect($this->redirectPath());
}
if ($request->user()->markEmailAsVerified()) {
event(new Verified($request->user()));
}
return redirect($this->redirectPath())->with('verified', true);
}
And now it works!
The problem for me was my APP_URL had a protocol of http and when I clicked on the verification link NGINX automatically redirected the url from http to https that's why the signature validation failed. I updated the APP_URL to have a protocol of https and that resolved my problem.
My personal experience with this problem was that I set MAIL_DRIVER to log in the .env file, and Laravel escaped special characters (such as &) when it stored the activation link in the log.
So NEVER use the log for MAIL_DRIVER when you have verification email.
(my Laravel version was 5.8).
I want to edit my mail and change everything, if I want, as shown here.
Ive imported my file and created a test route to view the page:
use Illuminate\Mail\Markdown;
Route::get('/mail/html', function () {
$markdown = new Markdown(view(), config('mail.markdown'));
return $markdown->render('vendor.mail.html.message'); // or ..markdown.message
});
However, Im having variable errors for #slot. How to view my change/see what the mail looks like before sending? Another package for that?
Thanks
To preview your email in browser please add below code to route
Route::get('preview-notification', function () {
$markdown = new \Illuminate\Mail\Markdown(view(), config('mail.markdown'));
$data = "Your data to be use in blade file";
return $markdown->render("path-of-your-templete-blade-file", $data]);
});
and you will be access your templete using
http://your-application-url/preview-notification
This is the recommended way by the Laravel community
kunal has a nice quick solution and that's how I used to do it. But now I use mailtrap.io to test emails because it allows you to replicate the whole process of sending an email.
Create a (free) account with mailtrap.io.
Add your mailtrap username and password in .env file.
By the way, Laravel is already configured to use mailtrap by default, so it is their recommended way to test emails.
Watch how Jeffrey Ways does it in his lesson:
Laravel 5.4 From Scratch: Sending Email
https://laracasts.com/series/laravel-from-scratch-2017/episodes/26
If you want to test in locally. You can put echo command in blade file at end and put die; this way you can test.Suppose you have test-email.blade.php
test-email.blade.php // file name
This is tets mail
<?php echo "test"; die; ?>
Hope it helps!
Site use port 8080 on new server.
I need "site.com" => "site.com:8080"
How change base url in laravel for correct including css/js and redirects?
Ok, we tried many things.
It seems it's a bug or something. They have it since Laravel 4 and do not want to fix it:
https://github.com/laravel/framework/issues/1833
The only solutions I see here are:
1. To use standard port.
2. To generate URLs manually. For example:
// in controller
$baseUrl = 'http://'.$_SERVER['HTTP_HOST'].'/';
// in template
<link hre="{{ $baseUrl.'css/myStyleSheet.css' }}" ....>
Or you could set this variable in your top layout, so all inherited views have it.
I ended up adding the following line to boot() function of AppServiceProvider.php :
URL::forceRootUrl(env('APP_URL'));
You can also hardcode it there, but this way it uses the settings from .env file.
Warning: if the APP_URL is https, then I also needed to add the following line, or otherwise it would alter it to http (weird):
URL::forceScheme('https');
Is there any possibility to turn on and turn off Laravel 5 maintenance without php artisan up and down commands when my website is being hosted ?
What I've done:
Route::get('site/shutdown', function(){
return Artisan::call('down');
});
Route::get('site/live', function(){
return Artisan::call('up');
});
The first route is working fine. But when I call site/live the site still is shuted down. What can cause this problem ?
If your project is already down, you cannot call another function.
What happens after you run php artisan down is that it creates a file named down inside storage/framework. After running php artisan up the file is removed.
You can create the file manually inside storage/framework. It will down your project. When you want to take your project live again, just remove the file.
I think the right answer is missing here..
You could add your route to app/http/middleware/CheckForMaintenanceMode.php
protected $except = [
//here
];
So It never would be off.
when you run artisan down. site is not available so when try to call up, your IP can't access site.
you must call down with your IP exception.
php artisan down --allow=127.0.0.1 --allow=192.168.0.0/16
or add ::1 to local.
to make that in route without command
try to save this command in specific one and call it.
Laravel 8 introduced secret in maintenance mode, in which you can bypass the maintenance mode by providing a secret, then your Artisan::call would work.
You could add your routes to the $except var in CheckForMaintenanceMode middleware to bypass the check. Then your site/live route would work just fine.
In order to make your site live again using an url, you can create a live.php file which you put in laravel's public folder and then visit http://your.domain/live.php .
In the live.php file you need something like this: (check your projects directory structure if you don't use the default public folder!)
<?php
unlink(dirname(__FILE__) . "/../storage/framework/down");
header("Location: your.domain");
die;
just put
Artisan::call('up');
without route function.