Merge pull request #332 from opcodesio/improvement/production-authorization

arukompas · web-flow · commit 79bfe719c45f · 2024-02-14T13:25:23.000+02:00
better handling of the production block
diff --git a/config/log-viewer.php b/config/log-viewer.php
@@ -12,6 +12,8 @@
 
     'enabled' => env('LOG_VIEWER_ENABLED', true),
 
+    'require_auth_in_production' => true,
+
     /*
     |--------------------------------------------------------------------------
     | Log Viewer Domain
diff --git a/src/Http/Middleware/AuthorizeLogViewer.php b/src/Http/Middleware/AuthorizeLogViewer.php
@@ -2,12 +2,23 @@
 
 namespace Opcodes\LogViewer\Http\Middleware;
 
+use Illuminate\Support\Facades\App;
+use Illuminate\Support\Facades\Gate;
 use Opcodes\LogViewer\Facades\LogViewer;
 
 class AuthorizeLogViewer
 {
     public function handle($request, $next)
     {
+        if (
+            config('log-viewer.require_auth_in_production', false)
+            && App::isProduction()
+            && ! Gate::has('viewLogViewer')
+            && ! LogViewer::hasAuthCallback()
+        ) {
+            abort(403);
+        }
+
         LogViewer::auth();
 
         return $next($request);
diff --git a/src/LogViewerServiceProvider.php b/src/LogViewerServiceProvider.php
@@ -134,12 +134,6 @@ protected function defineDefaultGates()
         if (! Gate::has('deleteLogFolder')) {
             Gate::define('deleteLogFolder', fn (mixed $user, LogFolder $folder) => true);
         }
-
-        if ($this->app->isProduction() && ! Gate::has('viewLogViewer') && ! LogViewer::hasAuthCallback()) {
-            // Disable Log Viewer in production by default. In order to allow access,
-            // developers will have to define a "viewLogViewer" gate or an "auth" callback.
-            LogViewer::auth(fn ($request) => false);
-        }
     }
 
     /**
diff --git a/tests/Feature/Authorization/CanViewLogViewerTest.php b/tests/Feature/Authorization/CanViewLogViewerTest.php
@@ -40,15 +40,27 @@
 test('local environment can use Log Viewer by default', function () {
     app()->detectEnvironment(fn () => 'local');
     expect(app()->isProduction())->toBeFalse();
-    (new \Opcodes\LogViewer\LogViewerServiceProvider(app()))->boot();
 
     get(route('log-viewer.index'))->assertOk();
 });
 
 test('Log Viewer is blocked in production environment by default', function () {
     app()->detectEnvironment(fn () => 'production');
     expect(app()->isProduction())->toBeTrue();
-    (new \Opcodes\LogViewer\LogViewerServiceProvider(app()))->boot();
 
     get(route('log-viewer.index'))->assertForbidden();
+
+    // but if configuration allows...
+    config(['log-viewer.require_auth_in_production' => false]);
+    get(route('log-viewer.index'))->assertOk();
+});
+
+test('Log Viewer is not blocked if the Log Viewer auth middleware is not used', function () {
+    config(['log-viewer.middleware' => ['web']]);
+    app()->detectEnvironment(fn () => 'production');
+    expect(app()->isProduction())->toBeTrue();
+    // need to reload the routes in order for the new middleware to take place.
+    (new \Opcodes\LogViewer\LogViewerServiceProvider(app()))->boot();
+
+    get(route('log-viewer.index'))->assertOk();
 });

Original file line number	Diff line number	Diff line change
`@@ -134,12 +134,6 @@ protected function defineDefaultGates()`
`134`	`134`	`if (! Gate::has('deleteLogFolder')) {`
`135`	`135`	`Gate::define('deleteLogFolder', fn (mixed $user, LogFolder $folder) => true);`
`136`	`136`	`}`
`137`		`-`
`138`		`- if ($this->app->isProduction() && ! Gate::has('viewLogViewer') && ! LogViewer::hasAuthCallback()) {`
`139`		`- // Disable Log Viewer in production by default. In order to allow access,`
`140`		`- // developers will have to define a "viewLogViewer" gate or an "auth" callback.`
`141`		`- LogViewer::auth(fn ($request) => false);`
`142`		`- }`
`143`	`137`	`}`
`144`	`138`
`145`	`139`	`/**`