Auth check return false in middleware, but should return true with Log Viewer

[zekuraz]

Hi !

I installed Log Viewer in my laravel 11 protect, and works like a charm. But i want to limit who has access to the Log Viewer in production.

So,i create a middleware

<?php

namespace App\Http\Middleware;

use Closure;
use Illuminate\Http\Request;
use Illuminate\Support\Facades\Auth;

class ViewLogs
{
    public function handle(Request $request, Closure $next)
    {
        if (Auth::check() && Auth::user()->hasRole('admin')) {
            return $next($request);
        }
        abort(401, 'Unauthorised');
    }
}

Add the following to $middlewareAliases array In app\Http\Kernel.php

        'view-logs' => \App\Http\Middleware\ViewLogs::class,

And add middleware to the the log viewer config

    /*
    |--------------------------------------------------------------------------
    | Log Viewer route middleware.
    |--------------------------------------------------------------------------
    | Optional middleware to use when loading the initial Log Viewer page.
    |
    */

    'middleware' => [
        'web',
        'view-logs',
        \Opcodes\LogViewer\Http\Middleware\AuthorizeLogViewer::class,
    ],

If i try to debug Auth::check(), it's always return false.

I also try Auth::guard('api'), it's doesn't work.

For information, i use Laravel Passport in my project.

Thanks in advance for your help !

[niels-numbers]

I experienced the same issue. I just updated logviewer to 3.15. (I am using Laravel 9) and after the composer upgrade, I received a 403 error. I downgraded back to 3.1.5 and the issue was gone. For some strange reason, the permission error only happens in production, not locally.

I also tried to remove my custom middleware, but still got a 403.

[zekuraz]

i note that the "XSRF-TOKEN" mismatch when i check the api request. Some can give a clue ?

[arukompas]

Hey @zekuraz , is there any reason you cannot utilise Log Viewer's callbacks as written in the documentation?

For example, you could just add this to your AppServiceProvider:

public function boot()
{
    LogViewer::auth(function ($request) {
        // Always allow access locally
        if (App::environment('local')) {
            return true;
        }

        // Otherwise, check for the "admin" role.
        return Auth::check() && Auth::user()->hasRole('admin');
    });
}

[zekuraz]

Hi @arukompas ,

I also try add this to my AppServiceProvider, but it always returns to me false.

[Zephni]

@zekuraz After installing this in a bunch of different applications the most common reason I've found for this is that your APP_URL (in .env) or config('app.url') needs to be the exact domain you are using. Eg:

APP_URL=http://local.my-domain.com

... or of course whatever you are serving your site locally as.

Note that it says in the docs/config that if the log viewer config key 'log-viewer.route_domain' is set to null it should work on all domains but I've found that this isn't true.

[jerrens]

I noticed that the following closure in AppServiceProvider was called twice when loading the page:

LogViewer::auth(function ($request) {
   return Gate::allows('admin:logs:read');
});

First for /log-viewer and the second for /log-viewer/api/folders.

In the first request, \Illuminate\Support\Facades\Auth::user() was defined. However in the second request, if APP_URL was not defined correctly as @Zephni suggested, then the user was null causing the gate to fail.