Laravel 11: Authorizing Users on page load returns Null user and Unauthorized

[webdevnerdstuff]

Issue:

On page load the auth user is null and causes the auth callback to be false.

Specs:

PHP: v8.3.3 Composer:

"require": {
    "php": "^8.2",
    "inertiajs/inertia-laravel": "^1.0",
    "laravel/framework": "^11.0",
    "laravel/jetstream": "^5.0",
    "laravel/sanctum": "^4.0",
    "laravel/tinker": "^2.9",
    "opcodesio/log-viewer": "^3.0",
    "tightenco/ziggy": "^2.0"
},
"require-dev": {
    "fakerphp/faker": "^1.23",
    "laravel/pint": "^1.13",
    "laravel/sail": "^1.26",
    "laravel/telescope": "^5.0",
    "mockery/mockery": "^1.6",
    "nunomaduro/collision": "^8.0",
    "phpunit/phpunit": "^11.0",
    "spatie/laravel-ignition": "^2.4",
    "barryvdh/laravel-debugbar": "^3.13",
    "itsgoingd/clockwork": "^5.2"
},

Problem Solving:

In Laravel 11 the providers has moved and I'm not sure if it's causing this to behave this way. Inside my AppServiceProvider I added something like the following:

LogViewer::auth(function ($request)
{
    $roles = config('log-viewer.roles');
    $hasAccess = (new RolePermissionHelper)->userHasRole($request->user(), $roles);

    return $hasAccess;
});

If I dump the $request->user() on the page load it is Null, but if I dd the user, it shows the user with all of it's data. Also if I dump($hasAccess) the result is false, and if I dd($hasAccess) the result is true, but still comes back Unauthorized. If I return true; it does work (expected since it's straight logic).

I thought that maybe the api or web middleware was blocking it somehow, so I added the following inside of bootstrap/app.php which is new in Laravel 11 to append/prepend (I tried both append/prepend) to the middleware:

$middleware->web(append: [
    \App\Http\Middleware\HandleInertiaRequests::class,
    \Illuminate\Http\Middleware\AddLinkHeadersForPreloadedAssets::class,
    \Opcodes\LogViewer\Http\Middleware\AuthorizeLogViewer::class,
]);

$middleware->api(append: [
    \Opcodes\LogViewer\Http\Middleware\AuthorizeLogViewer::class,
]);

This has the same result of Unauthorized. I also tried adding it to every other Provider I have to see if it would make a difference (it didn't).

Additional Info:

This problem did not occur for me in Laravel ^10. Unfortunately this is a private repo/company site so I can't share the full code. I also looked at this Issue 264 since it seemed similar, but it didn't quite apply in this situation.

I'm running out of ideas of things to try, so any help would be appreciated. Thank you!

[arukompas]

hey @webdevnerdstuff

can you share your config/log-viewer.php configuration? Does the middleware property include the 'web' middleware? Otherwise the authenticated user will not be resolved for Log Viewer routes.

[webdevnerdstuff]

<?php

return [
    'enabled' => env('LOG_VIEWER_ENABLED', true),
    'api_only' => env('LOG_VIEWER_API_ONLY', false),
    'require_auth_in_production' => true,
    'route_domain' => null,
    'route_path' => 'admin/logs',
    'back_to_system_url' => config('app.url', null),
    'back_to_system_label' => null, // Displayed by default: "Back to {{ app.name }}"
    'timezone' => null,

    'middleware' => [
        'web',
        \Opcodes\LogViewer\Http\Middleware\AuthorizeLogViewer::class,
    ],

    'roles' => env('LOG_VIEWER_ROLES') ? explode(',', env('LOG_VIEWER_ROLES')) : null,
    'api_middleware' => [
        \Opcodes\LogViewer\Http\Middleware\EnsureFrontendRequestsAreStateful::class,
        \Opcodes\LogViewer\Http\Middleware\AuthorizeLogViewer::class,
    ],
    'api_stateful_domains' => env('LOG_VIEWER_API_STATEFUL_DOMAINS') ? explode(',', env('LOG_VIEWER_API_STATEFUL_DOMAINS')) : null,
    'hosts' => [
        'local' => [
            'name' => ucfirst(env('APP_ENV', 'local')),
        ],
    ],
    'include_files' => [
        '*.log',
        '**/*.log',

        // You can include paths to other log types as well, such as apache, nginx, and more.
        '/var/log/httpd/*',
        '/var/log/nginx/*',

        // MacOS Apple Silicon logs
        '/opt/homebrew/var/log/nginx/*',
        '/opt/homebrew/var/log/httpd/*',
        '/opt/homebrew/var/log/php-fpm.log',
        '/opt/homebrew/var/log/postgres*log',
        '/opt/homebrew/var/log/redis*log',
        '/opt/homebrew/var/log/supervisor*log',

        // '/absolute/paths/supported',
        '/var/log/pbunny/*',
    ],
    'exclude_files' => [
        // 'my_secret.log'
    ],
    'hide_unknown_files' => true,
    'shorter_stack_trace_excludes' => [
        '/vendor/symfony/',
        '/vendor/laravel/framework/',
        '/vendor/barryvdh/laravel-debugbar/',
    ],
    'cache_driver' => env('LOG_VIEWER_CACHE_DRIVER', null),
    'lazy_scan_chunk_size_in_mb' => 200,
    'strip_extracted_context' => true,
];

[stf-alexander]

Having the same error after upgrading to Laravel 11.

[stf-alexander]

Sorry, in my case the Gate definition was missing in a Service Provider after the Laravel 11 update.

[AlexandreCConcept]

Hey 👋 I'm experiencing the same problem after upgrading to Laravel v11.x Before, everything was fine. So, what I do :

bootstrap/app.php :

return Application::configure(basePath: dirname(__DIR__))
                  ->registered(function (Application $app) {
                      $app->usePublicPath(path: base_path('/../public_html'));
                  })
                  ->withRouting(
                      web: __DIR__.'/../routes/web.php',
                      commands: __DIR__.'/../routes/console.php',
                      health: '/up',
                  )
                  ->withMiddleware(function (Middleware $middleware) {
                      $middleware->alias([
                          'role'                 => RoleMiddleware::class,
                          'permission'           => PermissionMiddleware::class,
                          'role_or_permission'   => RoleOrPermissionMiddleware::class,
                      ]);
                      $middleware->web(append: [
                         AuthorizeLogViewer::class,
                      ]);
                  })
                  ->withExceptions(function (Exceptions $exceptions) {
                      //
                  })->create();

Providers/AppServiceProvider.php :

public function boot(): void
    {
        LogViewer::auth(function ($request) {
            return $request->user()
                   && $request->user()->hasRole('super_admin');
        });
    }

If I make a dd($request->user() && $request->user()->hasRole('super_admin')); it returns true

log-viewer.php

I've also add this in the config file :

'middleware' => [
        'web', ViewLogs::class,
        AuthorizeLogViewer::class,
    ],

Did I miss something? I've a 401 😇 Thanks you

[stf-alexander]

@AlexandreCConcept try to set LOG_VIEWER_API_STATEFUL_DOMAINS in your .env file.

[AlexandreCConcept]

It's good, thanks! 😃

[masterei]

i fixed mine by making sure APP_URL is same as the domain

[agus-wisnu]

i fixed mine by making sure APP_URL is same as the domain

can you explain more about this?

[arukompas]

i fixed mine by making sure APP_URL is same as the domain

can you explain more about this?

If you host your app behind a domain yourdomain.com, then that should be the value of your APP_URL environment variable. It should match the domain (or subdomain) you enter in the browser to visit your app.

[WillianDamasceno]

I fixed it changing my APP_URL, I was accessing the domain with www but there was no www in the APP_URL definition.

[alexlopezit]

This is still not working on Laravel 12, might use an alternative package :(

[hareeshsudhakaran]

@alexlopezit LOG_VIEWER_API_STATEFUL_DOMAINS should not contain http:// Add only domain name

[arukompas]

Hey all!

The issue happened because the APP_URL was not defined, which meant that the current domain (whatever it might be) was not considered stateful and the session did not start, which lead to the API routes being unauthenticated.

Tagged a new release which will include the fix - v3.21.0

Let me know if you have any follow up questions.