[5.7] Signed route allowed for passing $absolute false but was never checked as such

[patrick-radius]

Signed route allowed for passing $absolute false but was never checked as such

[jmarcher]

This is a breaking change please target master.

[patrick-radius]

Can you elaborate on how you think this is breaking? It was intended as a bugfix
The signature for public function signedRoute($name, $parameters = [], $expiration = null, $absolute = true) already allowed for passing $absolute but it could never be checked.

the default value for $absolute hasValidSignature(Request $request, $absolute = true) should make it backward compatible.

If i'm missing something please inform me.

[jmarcher]

It is not if you are extending UrlGenerator and overwriting the hasValidSignature method, it will throw a warning. (Some environments tend to convert warnings to errors)

[jmarcher]

And I believe the $absolute parameter should only be used for $this->route() for the outside one not for the one inside hash_hmac() but maybe im wrong.

[patrick-radius]

This last point is actually the bug I'm trying to fix.
We need signed relative urls. But when it is validated it is invalid because it checks the signature against the entire url.

[sisve]

I agree, the changed method signature for hasValidSignature is a breaking change.

[patrick-radius]

I'm open to suggestions. But since the signature of public function signedRoute($name, $parameters = [], $expiration = null, $absolute = true) already existed, is a public interface and not working as suggested, to me it's a bug. Especially since I needed this behavior.

[sisve]

It can be both a bug, and a breaking change. I'm not saying the change is bad, but perhaps it should have targeted the next release to avoid problems with existing packages. These types of changes can be implemented locally in your application until the next release, so you both get the functionality you need, and don't introduce any breaking changes to the framework in the middle of the 5.7 release.

[LucasLeandro1204]

I use the signature and expires parameter to valid it through my SPA app by an ajax call, but this pr broke it =(

[patrick-radius]

@LucasLeandro1204 can you be a bit more specific?

[messi89]

is this issue solved ?

I have juste updated to 5.7.13 but the issue persist....

$absolute is never passed and still true even if we set it to false on the temporarySignedRoute method and it throw an invalid signature

=-(

[LucasLeandro1204]

@messi89 create a verifySignature middleware passing false and replace it in kernel

[messi89]

@LucasLeandro1204

something like that ?

if ($request->hasValidSignature($request, false)) {
  return $next($request);
}

I will try it

[LucasLeandro1204]

@messi89 yeap, don't forget to throw Illuminate\Routing\Exceptions\InvalidSignatureException

[messi89]

@LucasLeandro1204 same issue

"message": "Invalid signature.",
    "exception": "Illuminate\\Routing\\Exceptions\\InvalidSignatureException",
    "file": "/app/Http/Middleware/VerifySignature.php",

the only way i found is to modify

public function hasValidSignature(Request $request, $absolute = true)
to
public function hasValidSignature(Request $request, $absolute = true) {
$absolute= false
....

[messi89]

problem solved after check the macro on FoundationServiceProvider

public function registerRequestSignatureValidation()
    {
        Request::macro('hasValidSignature', function ($absolute = true) {
            return URL::hasValidSignature($this, $absolute);
        });
    }

so in my middleware I change

if ($request->hasValidSignature($request, false)) {
  return $next($request);
}

to

if ($request->hasValidSignature($false)) {
  return $next($request);
}