Signed Routes fails if user is logged in

[NaturalDevCR]

• Laravel Version: 5.7.19
• PHP Version: 7.2
• Database Driver & Version: MariaDB latest

Description: Generated signed URL's fails to 403 (Invalid Signature)

Steps To Reproduce:

1. Login to your Laravel application with the default authentication from Laravel
2. Generate a signed url and set your route to use the "signed" middleware...
3. Go to the generated url while logged in, and you'll see the 403 error.
4. Logout from your Laravel application and try again the generated signed url, now it should work.

Doubts:

Is this how is supposed to work the signed routes? what if i want to generate a temporary signed url to share some content for a limited time to my users? should they logout in order to access to this url each time? or i'm i missing something?

---------UPDATE--------

Code:

web.php

Route::get('/report/{user}/{client}', function ($user, $client) {
    return ("The user is: $user and the client is: $client");
})->name('temp.report')->middleware('signed');

genTempUrlController.php

    public function tempURL()
    {
        $tempURL= Url::temporarySignedRoute('temp.report', now('America/Costa_Rica')->addMinutes(25), [
            'user' => 1,
            'client' => 1
        ]);
        return $tempURL;
    }

The URL is generated and shows something like this:

https://example.com/report/1/1?expires=1545440368&signature=55ad67fa049a74fe8e123c664e50f53564b76154e2dd805c5927125f63c390a1

If the user is logged in the result is a 403 Forbidden (Invalid Signature) page, otherwise if the user is logged out, then the link works fine.

[staudenmeir]

Please post your route and the code that generates the URL.

[NaturalDevCR]

@staudenmeir, i added the information to the issue now, thanks in advance!

[staudenmeir]

The user's login status shouldn't have any influence here.

Does it work with signedRoute() instead of temporarySignedRoute()?

Can you reproduce it on a fresh Laravel installation?

[NaturalDevCR]

The user's login status shouldn't have any influence here.

Does it work with signedRoute() instead of temporarySignedRoute()?

It happens the same way, and i already tried with 2 more installations of Laravel, i'll try with a fresh one, and see what happens

[NaturalDevCR]

Ok, is i tried with a fresh installation and you are right, the user's login status has no influence with the signedRoute.

But i tried to install each composer dependency one by one and test the route while logged in to see if it was a dependency conflict or similar, but that wasn't the issue.

well, i'm lost again, i'm not sure what could be the problem. :(

[staudenmeir]

Try debugging UrlGenerator::hasValidSignature(): What's different when the user is not logged in?

[NaturalDevCR]

i'll try to debug that, but i don't know how, gonna make some research, thanks @staudenmeir, i'll tell you my results

[NaturalDevCR]

@staudenmeir thanks a lot you really help me out here, after debugging where you suggested, i ended by DD the variables inside UrlGenerator.php like this:

public function hasValidSignature(Request $request, $absolute = true)
    {
        $url = $absolute ? $request->url() : '/'.$request->path();

        //dd($url);

        $original = rtrim($url.'?'.Arr::query(
            Arr::except($request->query(), 'signature')
        ), '?');

        dd($original);
        $expires = Arr::get($request->query(), 'expires');

        $signature = hash_hmac('sha256', $original, call_user_func($this->keyResolver));

        return  hash_equals($signature, (string) $request->query('signature', '')) &&
               ! ($expires && Carbon::now()->getTimestamp() > $expires);
    }

the $original variable showed me what was actually happening with my URL, and showed this:

https://example.com/report/1/1?expires=1546586977&settings%5Bincrementing%5D=1&settings%5Bexists%5D=1&settings%5BwasRecentlyCreated%5D=0&settings%5Btimestamps%5D=1&profile%5Bincrementing%5D=1&profile%5Bexists%5D=1&profile%5BwasRecentlyCreated%5D=0&profile%5Btimestamps%5D=1&user%5Bincrementing%5D=1&user%5Bexists%5D=1&user%5BwasRecentlyCreated%5D=0&user%5Btimestamps%5D=1

as you can see there are parameters after the expires parameter, those parameter where aded after the route creation, and that was the problem, this happened because i had a middleware sharing some information to the views like this:

UserDataMiddleware

<?php

namespace App\Http\Middleware;

use Closure;
use Illuminate\Support\Facades\Auth;
use App\User;
use App\Setting;
use App\UserProfile;
use Illuminate\Support\Facades\View;

class UserData
{
    /**
     * Handle an incoming request.
     *
     * @param  \Illuminate\Http\Request  $request
     * @param  \Closure  $next
     * @return mixed
     */
    public function handle($request, Closure $next)
    {

        if (Auth::check()) {
            $settings = Setting::where('user_id', Auth::user()->id)->first();
            $profile = UserProfile::where('user_id', Auth::id())->first();
            $user = Auth::user();

            View::share('settings', $settings); //Another way to share variables, with the View::share
            View::share('profile', $profile);

            //Now we need to share owr variables trough the REQUEST to our controllers
            $request->merge([
                'settings' => $settings,
                'profile' => $profile,
                'user' => $user
            ]);


        }
        return $next($request);
    }
}

this middleware was inside the middleware groups, so that was the problem, thanks a lot for your help, really guided me to the right place... hopefully if someone in the future experiments this, then it could check that first.

[zipavlin]

@LaravDev I would just like to thank you for comming back and sharing how you solved this. You just saved me, what I imagine, would be few hours :)