Auth Signature verification broken when using a custom path #356
Description
Reverb Version
v1.6.2
Laravel Version
v12.40
PHP Version
8.4
Description
When running Reverb with a custom server path, say /sockets/, signature verification for requests sent from the Laravel application to the Reverb server will fail. That is because the signature is built from the request method, the URI path, and the query parameters; the Reverb server will use its full URI to read the path (see Protocols/Pusher/Http/Controllers/Controller.php, Line 97–101), but the Pusher client will construct it from the endpoint path without the configured prefix (see pusher-http-php/src/Pusher.php, Line 300–302), because the base path sits in the Guzzle client instance config and the signing code works on the request parameters only.
This means that effectively, a custom path doesn't work with request signatures, or requires handling outside of Laravel/Reverb using path rewriting shenanigans.
Solving this would be possible by either stripping any configured path from the URI used to validate the signature to accommodate for what Pusher does, or fixing the upstream Pusher code (although the repository seems largely abandoned, so that might be tricky).
I'd be willing to send a PR for the first option if there's any interest in merging it.
Steps To Reproduce
Configure Reverb with a path by setting reverb.servers.reverb.path, reverb.apps.apps.0.options.path, and broadcasting.connections.reverb.options.path to e.g. /sockets/, then try to broadcast to a private channel, using e.g.
$ php artisan tinker
> Broadcast::private('test', ['foo' => 'bar'])->sendNow()and you should see:
Illuminate\Broadcasting\BroadcastException Pusher error: Authentication signature invalid..