jurianarie/unauthorised-laravel-endpoints

Detect unauthorised endpoints in your Laravel application

Maintainers

Details

github.com/JurianArie/unauthorised-laravel-endpoints

Homepage

Source

Issues

Installs: 18

Dependents: 0

Suggesters: 0

Security: 0

Stars: 0

Watchers: 1

Forks: 0

Open Issues: 0

v0.1.1-beta 2022-08-29 08:41 UTC

Requires

Requires (Dev)

MIT fa41a09c4d35ecfda9a21d62db7b9f88297819df

  • JurianArie

This package is auto-updated.

Last update: 2024-04-29 05:05:56 UTC

README

CI

It's easy to forget authorization. This package is here to help you out!

Installation

You can install the package via composer:

composer require jurianarie/unauthorised-laravel-endpoints --dev

You can publish the config file with:

php artisan vendor:publish --tag="unauthorized-detection"

How it works

This package looks through all routes defined in your application and tries to find authorization checks.

There are a few build in checks:

  • Authorization via middleware
  • Authorization via FormRequests
  • Authorization via source code (This has some limitations.)

Usage

php artisan unauthorised-endpoints:detect

Or exclude vendor routes:

php artisan unauthorised-endpoints:detect --except-vendor

Tip: the same arguments are available as with route:list

Configuration

Specify authentication middleware

By default, only the auth middleware is checked. Routes without the specified middleware will be ignored.

'authentication-middleware' => [
    'auth:api', // Only check api.
],

Specify authorization middleware

Here you can specify the middleware that is used to authorize the routes.

'authorization-middleware' => [
    'your-custom-middleware',
],

Specify authorization methods

You can add regular expressions.

'authorization-methods' => [
    '/\$this->authorize\(\'(.*)\\)/',
    '/Gate::authorize\(\'(.*)\\)/',
],

Ignoring routes

You can ignore routes the same way as with Request::is() and Request::routeIs() https://laravel.com/docs/9.x/requests#inspecting-the-request-path.

Adding custom detection

You can add custom detection by adding a class that implements \JurianArie\UnauthorisedDetection\Detectors\DetectsAuthorization to the 'authorization-detectors' array in your config.

Limitations

You might get false positives if your authorization has to be detected in your source code.

  • Your action doesn't have any source code.
  • Your authorization happens further down in the call stack.
  • Your authorization uses structures such as abort_if($user->cannot(...), if ($user->cannot(...)) {...}

License

The MIT License (MIT). Please see License File for more information.