jurianarie / unauthorised-laravel-endpoints
Detect unauthorised endpoints in your Laravel application
Requires
- php: ^7.4|^8.0.2
- laravel/framework: ^6.20.26|^7.29|^8.75|^9.0
Requires (Dev)
- orchestra/testbench-core: ^4.8|^6.27
- phpstan/phpstan: ^1.2
- phpunit/phpunit: ^7.5.15|^8.5.19|^9.5.8
- squizlabs/php_codesniffer: ^3.6
This package is auto-updated.
Last update: 2024-04-29 05:05:56 UTC
README
It's easy to forget authorization. This package is here to help you out!
Installation
You can install the package via composer:
composer require jurianarie/unauthorised-laravel-endpoints --dev
You can publish the config file with:
php artisan vendor:publish --tag="unauthorized-detection"
How it works
This package looks through all routes defined in your application and tries to find authorization checks.
There are a few build in checks:
- Authorization via middleware
- Authorization via FormRequests
- Authorization via source code (This has some limitations.)
Usage
php artisan unauthorised-endpoints:detect
Or exclude vendor routes:
php artisan unauthorised-endpoints:detect --except-vendor
Tip: the same arguments are available as with route:list
Configuration
Specify authentication middleware
By default, only the auth
middleware is checked. Routes without the specified middleware will be ignored.
'authentication-middleware' => [ 'auth:api', // Only check api. ],
Specify authorization middleware
Here you can specify the middleware that is used to authorize the routes.
'authorization-middleware' => [ 'your-custom-middleware', ],
Specify authorization methods
You can add regular expressions.
'authorization-methods' => [ '/\$this->authorize\(\'(.*)\\)/', '/Gate::authorize\(\'(.*)\\)/', ],
Ignoring routes
You can ignore routes the same way as with Request::is()
and Request::routeIs()
https://laravel.com/docs/9.x/requests#inspecting-the-request-path.
Adding custom detection
You can add custom detection by adding a class that implements \JurianArie\UnauthorisedDetection\Detectors\DetectsAuthorization
to the 'authorization-detectors'
array in your config.
Limitations
You might get false positives if your authorization has to be detected in your source code.
- Your action doesn't have any source code.
- Your authorization happens further down in the call stack.
- Your authorization uses structures such as
abort_if($user->cannot(...)
,if ($user->cannot(...)) {...}
License
The MIT License (MIT). Please see License File for more information.