Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Invalid Signature - Email Verification - HTTPS #28311

Closed
aschbacd opened this issue Apr 23, 2019 · 6 comments
Closed

Invalid Signature - Email Verification - HTTPS #28311

aschbacd opened this issue Apr 23, 2019 · 6 comments

Comments

@aschbacd
Copy link

@aschbacd aschbacd commented Apr 23, 2019

  • Laravel Version: 5.8.14
  • PHP Version: 7.3.4
  • Database Driver & Version: mysql 5.7

Description:

When using HTTPS, the email validation link gets invalid and returns an HTTP Error with 403 Invalid signature.. When using HTTP, everything works fine (but insecure).

PS: After enabling HTTPS every link uses HTTPS (also the one in the email).

Steps To Reproduce:

  1. Edit the file app/Providers/AppServiceProvider.php and add the following lines of code in the method boot:
if(env('FORCE_HTTPS')) {
    URL::forceScheme('https');
}
  1. Set the environment variable FORCE_HTTPS to true.
  2. Run php artisan config:cache if the changes haven't been applied.
@aschbacd aschbacd changed the title Invalid Signature - Email Validation - HTTPS Invalid Signature - Email Verification - HTTPS Apr 23, 2019
@36864

This comment has been minimized.

Copy link
Contributor

@36864 36864 commented Apr 23, 2019

You're using the env() helper outside the configuration files and then caching your config. When you cache your config, env() no longer works.

Can you try removing the condition and just setting URL::forceScheme('https');?

@laurencei

This comment has been minimized.

Copy link
Contributor

@laurencei laurencei commented Apr 23, 2019

Closing as @36864 has given the answer - dont use env() outside of config files.

@laurencei laurencei closed this Apr 23, 2019
@aschbacd

This comment has been minimized.

Copy link
Author

@aschbacd aschbacd commented Apr 23, 2019

I removed the env() condition and just set URL::forceScheme('https'); but I still get the same error.

@laurencei laurencei reopened this Apr 23, 2019
@aschbacd

This comment has been minimized.

Copy link
Author

@aschbacd aschbacd commented Apr 24, 2019

I found the issue with the help of @davidkroell. Before I was using container solutions to deploy my application (Docker and Heroku), but now I deployed it directly via Apache on a Debian system and the links are working fine (with HTTP and HTTPS).

I also didn't have to use URL::forceScheme('https'); this time to get all links replaced with HTTPS ones.

@yawmanford

This comment has been minimized.

Copy link

@yawmanford yawmanford commented Jul 12, 2019

I had a similar problem - it can be solved very easy if you use the TrustedProxy Middleware.

  1. Add \URL::forceScheme('https'); to the boot method in AppServiceProvider.php

     if($this->app->environment('production'))
     {
         \URL::forceScheme('https');
     }
    
  2. Allow all like below or configure proxies as explained in the docs: https://laravel.com/docs/5.8/requests#configuring-trusted-proxies

    <?php
    
    namespace App\Http\Middleware;
    
    use Illuminate\Http\Request;
    use Fideloper\Proxy\TrustProxies as Middleware;
    
    class TrustProxies extends Middleware
    {
       /**
       * The trusted proxies for this application.
       *
       * @var array|string
       */
       protected $proxies = '*';
    
       /**
       * The headers that should be used to detect proxies.
       *
       * @var int
       */
       protected $headers = Request::HEADER_X_FORWARDED_ALL;
    }
    
@dhrumil4u360

This comment has been minimized.

Copy link

@dhrumil4u360 dhrumil4u360 commented Nov 28, 2019

This issue is mainly introduced by adding following in your code,

URL::forceScheme('https');

If you are just trying to fix SSL URL links (When SSL is terminated in your load balancer & laravel server is receiving requests on port 80), you should not above approach. Instead, use approach given by Laravel. It will take care of exact this scenario.

https://laravel.com/docs/6.x/requests#configuring-trusted-proxies

If you have to have forceScheme, use approach mentioned by @manfordbenjamin

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
5 participants
You can’t perform that action at this time.