F
Filament10mo ago
John

Middleware for "livewire.message"

In my config/filament.php I have set some additional middleware: 
    'middleware' => [
        'auth' => [
            Authenticate::class,
            CheckProfile::class,
            Require2FA::class,
        ],
        'base' => [
            EncryptCookies::class,
            AddQueuedCookiesToResponse::class,
            StartSession::class,
            AuthenticateSession::class,
            ShareErrorsFromSession::class,
            VerifyCsrfToken::class,
            SubstituteBindings::class,
            DispatchServingFilamentEvent::class,
            MirrorConfigToSubpackages::class,
            NeedsTenant::class,
            EnsureValidTenantSession::class,
        ],
    ],
    'middleware' => [
        'auth' => [
            Authenticate::class,
            CheckProfile::class,
            Require2FA::class,
        ],
        'base' => [
            EncryptCookies::class,
            AddQueuedCookiesToResponse::class,
            StartSession::class,
            AuthenticateSession::class,
            ShareErrorsFromSession::class,
            VerifyCsrfToken::class,
            SubstituteBindings::class,
            DispatchServingFilamentEvent::class,
            MirrorConfigToSubpackages::class,
            NeedsTenant::class,
            EnsureValidTenantSession::class,
        ],
    ],
The middleware is applied to "normal" Filament requests, but NOT to XHR liveware.messages requests. E.g. changing a filter in a overview page to reload the records. Is this an auth vulnerability? Should I also add them in a generic Livewire place? Or on specific routes/components? (I imagine this will break the login page since it's also Livewire but there is no authenticated user yet)
Solution:
That does break the login screen, as expected. So that's probably not supposed to work like that. It's explained here how Livewire is working stateless but still secure: https://laravel-livewire.com/docs/2.x/security. So one doesn't need Auth middleware in every Livewire xhr request....
Jump to solution
4 Replies
Tieme
Tieme10mo ago
See : https://filamentphp.com/docs/3.x/panels/configuration#applying-middleware 
use Filament\Panel;
 
public function panel(Panel $panel): Panel
{
    return $panel
        // ...
        ->middleware([
            // ...
        ], isPersistent: true);
}
use Filament\Panel;
 
public function panel(Panel $panel): Panel
{
    return $panel
        // ...
        ->middleware([
            // ...
        ], isPersistent: true);
}
Configuration - Panel Builder - Filament
John
JohnOP10mo ago
I'm on v2. The v2 way is in config. That middleware is applied for "normal" requests, but not for the Livewire XHR requests. (I've edited my original question to reflect this.)
awcodes
awcodes10mo ago
You’ll probably need to add it to the livewire middleware config too.
Solution
John
John10mo ago
That does break the login screen, as expected. So that's probably not supposed to work like that. It's explained here how Livewire is working stateless but still secure: https://laravel-livewire.com/docs/2.x/security. So one doesn't need Auth middleware in every Livewire xhr request.
Want results from more Discord servers?
Add your server