Hello,
I am a bit confused on the internals, more specifically would a Livewire object be accessible by someone by firing an ajax call?
I have a route which requires authentication that loads Livewire, this Livewire controller handled sensitive data and I would like to know how secure is? I can’t seem to find anything that would allow me to put it behind a middleware.
Thanks
You can define the middleware on your routes just like normal Laravel controllers.
routes/web.php
Route::middleware('auth')->group(function() {
Route::livewire('/path-to-component', 'component');
});
If you route already requires authentication and your livewire component is on the view defined by that route, it would still go through the auth middleware as a normal Laravel component. There’d be no direct route to the livewire component unless you define a route to it.
Thanks, this is a cool feature but only if you load the component directly
True, it’s for direct component usage but the main point is that you can house any of our Route logic within the middleware and still have the middleware apply.
If your livewire component lives within a view that has the middleware applied, the user will have to authenticate to access that route.
I hope it is fine to reopen this issue.
I was asking myself the very same question. So thanks for the answer @shortbrownman !
Now my follow-up question is: How does this work?
It seems like the ajax-request always targets [project-domain]/livewire/message/component .
Let’s imagine I got the following in my routes/web.php:
Route::get('/abc', function () {
return view('abc-view');
})->middleware('something');
Route::get('/xyz', function () {
return view('xyz-view');
})->middleware('somethingElse');
Now, let’s imagine both views (‘abc-view’ and ‘xyz-view’) contain the same livewire-component.
How would Livewire know which route was the origin and which Middleware to use?
Thanks in advance,
mj
Livewire wouldn’t need to establish what Middleware should be used as that’s handled by Laravel, generally through the routes/web.php as you have in your example code. The middleware will be attached at that level.
Livewire shouldn’t need to know what route the component is being accessed through nor should it need to concern itself with the middleware as that’s all handled elsewhere.
If you wanted to know what route the component is being access from, you might be able to dig into the request itself but I think you can only do that on the mount() method if I’m recalling correctly.
Tank you again.
I would agree that it shouldn’t be of Livewires concern which routes the request to the component is going through. My problem is that I can’t see the original route is called by the ajax request.
To use my example above: what if some evil guy visits my page - specifically the abc-view. So everything is going through the “something”-Middleware.
But then he makes an ajax-request to a component I am using in the xyz-view. Laravel would still think it has to use the “something” instead of the “somethingElse”-Middleware, because the call comes from a client (and page - abc-view) that’s currently routing through the something-Middleware.
It is true that somehow Laravel - and not Livewire - has to manage this. But how does it work? I just want to feel safe using these frameworks. And it seems I am really missing something here. Unfortunately the Docs of Laravel are mostly about “what you can use to achieve X” and never about “how does Laravel accomplish X”. Do I really have to deepdive into the code itself before using the framework?