Securing Laravel

Share this post

Security Tip: Use Route Groups

securinglaravel.com

Discover more from Securing Laravel

The essential security resource for Laravel devs, covering everything you need to keep your apps secure. Sign up to receive weekly security tips and monthly in depth articles, diving deep into security concepts you need to know!
Over 2,000 subscribers
Continue reading
Sign in

Security Tip: Use Route Groups

[Tip#24] It may sound trivial, but it's easy to overlook.

Stephen Rees-Carter
Jun 14, 2022
1
Share this post

Security Tip: Use Route Groups

securinglaravel.com
Share

Greetings everyone! In this week’s security tip, I wanted to share a simple tip based on a common weakness I often see in Laravel apps. It’s common to see apps have most of their access control inside controllers, but I see it all the time where a specific action is missing an authorisation check because the developer forgot when writing that specific controller action. Hence why I recommend using a different approach…

I hope you all have a great week! 🙂

Use Route Groups

Route Groups are awesome for so many reasons, and as you’d expected, one of those reasons is security. Not only do they make it easy to review the access requirements for each of your routes in the one place but they also serve as a fantastic reminder that you need to be aware of the permissions for each of your routes.

Consider this: when adding a new route, you’ll open up the routes file, and look for a suitable place to put it. If everything is grouped, you need to decide what access level that route needs when you add it. You’re unlikely to forget and your app stays secure.

Alternatively, if you leave your access control in your controllers, you’ll add your route somewhere, open up a blank controller and start coding… and sometimes forget about access control, leaving an endpoint wide open.

I recommend implementing as much of your access control as possible through middleware.

You’ve got the default auth and guest helpers for basic authentication checks, with Policy Objects to handle more complex rules, but if the app I’m working on requires something more complicated, I’ll implement some custom middleware to handle that logic too. That way it’s all encompassed within middleware and the route layer, making it harder for me to overlook and forget.

As a quick guide:

Authenticated Users Only

Route::middleware(['auth'])->group(function () {
    // ...
});

Unauthenticated Guests Only

// Authenticated Users Only
Route::middleware(['guest'])->group(function () {
    // ...
});

Authenticated With Specific Auth Guard Only

Route::middleware(['auth:admin'])->group(function () {
    // ...
});

Authenticated & Product Policy Approved Only

Route::middleware(['auth'])->group(function () {
    // ...

    Route::middleware(['can:view,product'])->group(function () {
        // ..
    });
});

Authenticated & Custom Control

Route::middleware(['auth'])->group(function () {
    // ...

    Route::middleware(['editor'])->group(function () {
        // ..
    });
});

Useful Documentation:

  1. Route Groups

  2. Route Group Middleware

  3. Route Authentication Middleware

  4. Default Middleware

1
Share this post

Security Tip: Use Route Groups

securinglaravel.com
Share
Previous
Next
Comments
Top
New
Community

No posts

Ready for more?

© 2023 Stephen Rees-Carter
Privacy ∙ Terms ∙ Collection notice
Start WritingGet the app
Substack is the home for great writing