feat: Add option to disable default webhook route registration

[lucacastelnuovo]

Yesterday I implemented resend/resend-laravel alongside a custom webhook handler. I opted not to use the built-in handler because I wanted to integrate with spatie/laravel-webhook-client.

However, the package still automatically registers the default webhook route. Since I am not using it, I consider this exposed route an unnecessary attack vector.

Would it be acceptable if I submitted a PR to make this automatic route registration configurable (default enabled of course)?

[jayanratna]

That seems like an important addition. Definitely welcoming a PR for that 👍🏽

[lucacastelnuovo]

Source: https://laravel.com/docs/12.x/releases#support-policy

To implement this I need some features from Laravel 11.x. Laravel 10.x is deprecated, are you willing to drop support for it?

[jayanratna]

You could do it through a config value. Something like: 'routes' => true

[lucacastelnuovo]

Yes, maybe I'm mistaken, but I thought that config() does not work in the boot of a service provider. Making it difficult to use it to register or not register the route.

I was thinking of using the Conditional trait on routes which was introduced in Laravel 11.34.0 (https://nabilhassen.com/laravel-routing-add-conditional-logic-to-routes)./

[jayanratna]

You can indeed use the config helper function. For reference see the ResendServiceProvider:

resend-laravel/src/ResendServiceProvider.php

Lines 67 to 80 in a27b2f6

	/**
	* Register the package routes.
	*/
	protected function registerRoutes(): void
	{
	Route::group([
	'domain' => config('resend.domain', null),
	'namespace' => 'Resend\Laravel\Http\Controllers',
	'prefix' => config('resend.path'),
	'as' => 'resend.',
	], function () {
	$this->loadRoutesFrom(__DIR__ . '/../routes/web.php');
	});
	}

[lucacastelnuovo]

@jayanratna you are completely right, I meant I had some issue testing this functionality. The PR is ready #106

[kyranb]

I think there are really two separate concerns here:

1. should the package register its default webhook route at all
2. should it only register that route when verification is actually possible

Right now register_route only answers the first part. That works, but it still leaves the package in a way where if an environment variable is accidentally not set, that webhook requests aren't verified.

A better option may be to make that second part explicit in the config with a safe default, for example:

'require_webhook_secret' => true

[lucacastelnuovo]

@kyranb I completely agree.

If we were to introduce a breaking change I would even go as far as to say a webhook secret is required.

The resend ui always provides one to the user, so we might as well check it.

[kyranb]

Agreed, I think it's worthy of a breaking change.

@jayanratna What do you think?