Laravel Pulse unauthorized action when using Octane.

[sts-ryan-holton]

Pulse Version

1.0.0-beta11

Laravel Version

10.43.0

PHP Version

8.2.*

Livewire Version

Latest

Database Driver & Version

MySQL

Description

When loading up Pulse in a production environment running Laravel Octane, an error occurs on the /pulse view despite being logged in:

403 THIS ACTION IS UNAUTHORIZED.

Steps To Reproduce

My AuthServiceProvider for pulse:

<?php

namespace App\Providers;

use App\Policies\PermissionPolicy;
use App\Policies\RolePolicy;
use App\Policies\ScheduleMonitorPolicy;
use Illuminate\Auth\Notifications\ResetPassword;
use Illuminate\Foundation\Support\Providers\AuthServiceProvider as ServiceProvider;
use Illuminate\Support\Facades\Gate;
use Spatie\Permission\Models\Permission;
use Spatie\ScheduleMonitor\Models\MonitoredScheduledTask;
use App\Models\Spatie\Permission\Role;
use App\Models\User;

class AuthServiceProvider extends ServiceProvider
{
    /**
     * The model to policy mappings for the application.
     *
     * @var array<class-string, class-string>
     */
    protected $policies = [
        Role::class => RolePolicy::class,
        Permission::class => PermissionPolicy::class,
        MonitoredScheduledTask::class => ScheduleMonitorPolicy::class,
    ];

    /**
     * Register any authentication / authorization services.
     */
    public function boot(): void
    {
        $this->registerPolicies();

        ResetPassword::createUrlUsing(function ($user, string $token) {
            $frontendUrl = trim(rtrim(config('lespro.frontend_url'), '/'));

            return $frontendUrl.'/account/reset/?email='.$user->email.'&token='.$token;
        });

        // Implicitly grant "super_admin" role all permissions
        // This works in the app by using gate-related functions like auth()->user->can() and @can()
        Gate::before(function ($user, $ability) {
            return $user->hasRole('super_admin') ? true : null;
        });
    }

        /**
     * Authenticate
     */
    protected function authorization()
    {
        $this->gate();

        Pulse::auth(function ($request) {
            if (isset($request) && $request->boolean('disable_pulse_auth_check', false)) {
                return true;
            }

            if (app()->environment('local')) {
                return true;
            }

            // if we're in production and have a user on the web guard, then
            // let's return their user for auth check.
            if (!app()->environment('local')) {
                if (Auth::guard('web')->user()) {
                    return Auth::guard('web')->user();
                }
            }

            return false;
        });
    }

    /**
     * Register the Horizon gate.
     *
     * This gate determines who can access Horizon in non-local environments.
     */
    protected function gate(): void
    {
        Gate::define('viewPulse', function (User $user) {
            return in_array($user->email, [
                'user@example.com',
            ]);
        });
    }
}

I have not changed my Pulse config file. Could this be Octane related? It loads locally.

[driesvints]

And you're definitely logged in with the user with user@example.com? Why does it say "Horizon" above your gate method?

[sts-ryan-holton]

@jessarcher Sure, I've just forgotten to change a comment. This is strange, I've narrowed this down, maybe this will help. So I use Spatie Permissions package in my project. It requires Gate::before. However, if I define both Gate::before and Gate::define (Pulse) then I get an auth error whilst logged in.

If I comment out Gate::define whilst logged in, it loads? What's the workaround here?

/**
 * Register any authentication / authorization services.
 */
public function boot(): void
{
    $this->registerPolicies();

    ResetPassword::createUrlUsing(function ($user, string $token) {
        $frontendUrl = trim(rtrim(config('lespro.frontend_url'), '/'));

        return $frontendUrl.'/account/reset/?email='.$user->email.'&token='.$token;
    });

    // Implicitly grant "super_admin" role all permissions
    // This works in the app by using gate-related functions like auth()->user->can() and @can()
    Gate::before(function ($user, $ability) {
        return $user->hasRole('super_admin') ? true : null;
    });

    // causes forbidden
    Gate::define('viewPulse', function (User $user) {
        return true;
    });
}

/**
 * Register any authentication / authorization services.
 */
public function boot(): void
{
    $this->registerPolicies();

    ResetPassword::createUrlUsing(function ($user, string $token) {
        $frontendUrl = trim(rtrim(config('lespro.frontend_url'), '/'));

        return $frontendUrl.'/account/reset/?email='.$user->email.'&token='.$token;
    });

    // Implicitly grant "super_admin" role all permissions
    // This works in the app by using gate-related functions like auth()->user->can() and @can()
    Gate::before(function ($user, $ability) {
        return $user->hasRole('super_admin') ? true : null;
    });

    // works. But I need user check
    // Gate::define('viewPulse', function (User $user) {
    //     return true;
    // });
}

[driesvints]

I can't help with spatie's permission package sorry. Please try a support channel:

• Laracasts Forums
• Laravel.io Forums
• StackOverflow
• Discord
• Larachat
• IRC

[timacdonald]

@sts-ryan-holton, I have just created a fresh Laravel application with Octane and Pulse.

I specified the following gate config:

Gate::before(function (?User $user, string $ability) {
    return false; // fails as expected
    return true; // works
    return null; // works
});

Gate::define('viewPulse', function (?User $user) {
    return $user?->email === 'tim@laravel.com';
});

Is it possible you have forgotten to restart Octane? Or perhaps Spatie permissions is not working correctly with Octane?