8000 Bug: auth.required middleware is not triggered on dynamic routes within app()->group() · Issue #32 · leafsphp/auth · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

Bug: auth.required middleware is not triggered on dynamic routes within app()->group() #32

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
ronaldomussa opened this issue Apr 7, 2025 · 2 comments
Open

Bug: auth.required middleware is not triggered on dynamic routes within app()->group() #32

ronaldomussa opened this issue Apr 7, 2025 · 2 comments
Labels
bug Something isn't working

Comments

@ronaldomussa
Copy link

When using auth.required middleware inside app()->group(), dynamic routes like /clients/{id} skip the middleware execution. This causes the controller to be executed even if there’s no authenticated user.

It works fine on static routes like /clients, but on dynamic ones, the middleware is ignored.

Steps to reproduce the behavior:

In your routes/web.php, define a middleware group:

app()->group('/cms', [
    'middleware' => 'auth.required',
    function () {
        app()->get('/clients', 'Auth\ClientController@index');
        app()->get('/clients/{id}', 'Auth\ClientController@show');
    }
]);

Ensure your auth.required middleware redirects if the user is not logged in.

Access /cms/clients while logged out → ✅ Middleware works (redirects).

Access /cms/clients/1 while logged out → ❌ Controller runs, middleware is skipped.

Expected behavior
All routes (static or dynamic) inside the app()->group() with auth.required should be protected. If a user is not logged in, the middleware should redirect and prevent controller execution.

Additional context
Leaf version: v3.x

Middleware is registered via auth()->middleware('auth.required', callback)

DevTools log shows controller is called before the middleware on dynamic routes.
@mychidarko
Copy link
Member

Hi @ronaldomussa, I'm just seeing this. Will try to replicate on my end, thanks for the detail

@mychidarko mychidarko transferred this issue from leafsphp/leaf Apr 7, 2025
@mychidarko mychidarko marked this as a duplicate of #31 Apr 7, 2025
@ronaldomussa
Copy link
Author
ronaldomussa commented Apr 8, 2025
edited
Loading

Hello @mychidarko, I just fix this issue on leaf/src/Router.php with this code replacing the line 827

$routesToRun = array_filter($routeToHandle, function ($route) use ($uri) {
          $pattern = $route['route']['pattern'];
      
          // Converte para regex se contiver parâmetros dinâmicos
          $regexPattern = '#^' . preg_replace('/\{[^}]+\}/', '([^/]+)', $pattern) . '$#';
      
          return preg_match($regexPattern, $uri)
              || $pattern === $uri
              || $pattern === '/.*'
              || implode('/', $route['params'] ?? []) === ltrim($uri, '/');
      });

Root cause
In Router.php, the current logic inside handle() uses a direct equality check on $route['route']['pattern'] === $uri, which fails for dynamic route patterns.

Fix
This PR replaces that brittle check with a preg_match to verify if the route pattern matches the URI:

This fix was tested in a real project using dynamic routes inside a group with middleware. After this change, middleware was properly triggered before controller execution.

Image

@ronaldomussa ronaldomussa reopened this Apr 8, 2025
@mychidarko mychidarko added the bug Something isn't working label Apr 12, 2025 — with Linear
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ronaldomussa @mychidarko
0