NativePHP
Skip PreventBrowserAccess middleware when running tests
The PreventBrowserAccess middleware causes browser tests to fail with 403's. This PR adds a simple guard clause that skips the middleware when it detects it's running tests.
Converted to Draft. Will address the feedback given on Discord first 👍🏻
Couple notes @NativePHP/contributors:
I've added the automatic registration inside a if (config('nativephp-internal.running')) conditional.
Additionally I've also added a guard clause in the middleware itself, in case anyone needs to apply it on other groups.
- Would it make sense to add it to
apigroup too? - We need to update the docs to reflect these changes
@gwleuverink i think it does need to be applied globally, not just to the web group.
I'm thinking of scenarios where an attacker could use the API endpoints to trigger app behaviour in an unwanted manner simply by using curl against the right port...
So, if possible let's go for applying globally.
But we need to make sure that all requests from Electron to the Laravel app include the necessary header...
I had to import Foundation\Http\Kernel instead of Contracts\Http\Kernel because phpstan complained the pushMiddleware method is not present on the interface.
I tried this in a simple app. Seems to work as expected. Verification welcome!
@simonhamp About the necessary header. Any scenario's this isn't accounted for already?
I don't think so. Just something we need to remember to do in case we add new ways to call the Laravel backend.
Shall I remove this section from the docs entirely or leave a note about this behaviour?
At the bottom: https://nativephp.com/docs/desktop/1/digging-deeper/security#the-web-servers
Does anyone remember why we didn't merge this? ^^
I know we had a discussion on Discord too but can't remember the outcome.
I was wondering what to do with the docs & it slipped my mind.
Just pushed it: https://github.com/NativePHP/nativephp.com/pull/127
