Skip to content

Detect unauthorised endpoints in your Laravel application

License

Notifications You must be signed in to change notification settings

JurianArie/unauthorised-laravel-endpoints

Repository files navigation

Detecting unauthorized routes

CI

It's easy to forget authorization. This package is here to help you out!

Installation

You can install the package via composer:

composer require jurianarie/unauthorised-laravel-endpoints --dev

You can publish the config file with:

php artisan vendor:publish --tag="unauthorized-detection"

How it works

This package looks through all routes defined in your application and tries to find authorization checks.

There are a few build in checks:

  • Authorization via middleware
  • Authorization via FormRequests
  • Authorization via source code (This has some limitations.)

Usage

php artisan unauthorised-endpoints:detect

Or exclude vendor routes:

php artisan unauthorised-endpoints:detect --except-vendor

Tip: the same arguments are available as with route:list

Configuration

Specify authentication middleware

By default, only the auth middleware is checked. Routes without the specified middleware will be ignored.

'authentication-middleware' => [
    'auth:api', // Only check api.
],

Specify authorization middleware

Here you can specify the middleware that is used to authorize the routes.

'authorization-middleware' => [
    'your-custom-middleware',
],

Specify authorization methods

You can add regular expressions.

'authorization-methods' => [
    '/\$this->authorize\(\'(.*)\\)/',
    '/Gate::authorize\(\'(.*)\\)/',
],

Ignoring routes

You can ignore routes the same way as with Request::is() and Request::routeIs() https://laravel.com/docs/9.x/requests#inspecting-the-request-path.

Adding custom detection

You can add custom detection by adding a class that implements \JurianArie\UnauthorisedDetection\Detectors\DetectsAuthorization to the 'authorization-detectors' array in your config.

Limitations

You might get false positives if your authorization has to be detected in your source code.

  • Your action doesn't have any source code.
  • Your authorization happens further down in the call stack.
  • Your authorization uses structures such as abort_if($user->cannot(...), if ($user->cannot(...)) {...}

License

The MIT License (MIT). Please see License File for more information.

About

Detect unauthorised endpoints in your Laravel application

Resources

License

Stars

Watchers

Forks

Packages

No packages published

Languages