Play it Again, SAML

I had to integrate SAML authetication on a Laravel application, so I composer required the laravel-saml2 package (actually, the remove_mcrypt branch. You know: mcrypt has been dropped in PHP 7.2...) and configured it to attach to the SimpleSAML-PHP instance I recently deployed. Of course nothing worked out of the box, so my experience is worth a blog post. On the server side (SimpleSAML-PHP): the standard response for authentication includes the password attribute. With the user's password hash in binary format. And, aside the security implications of this, the…

Keep reading

Social Logout

Again about the Laravel application involving Google login: it is often used on computers shared among many people, and logging on Google involves that all of the services are then enabled and accessible from that computers. Mostly undesiderable, of course. Socialite logout do not implies Google logout, nor any form of OAuth logout. So I had to provide a trick. The new logout() function looks as: public function logout() { Auth::logout(); $url = sprintf('https://www.google.com/accounts/Logout?continue=https://appengine.google.com/_ah/logout?continue=%s', route('login')…

Keep reading

Update my Models

Today I've discovered a particular behaviour of Laravel models' events handling: the updating event is not fired if the object's attribute have not been really modified. More specifically, if isDirty() returns FALSE. So, your Model::updating() callback is not really executed for each save() on an existing model, but only when something changed. This is probably desiderable in most cases (no extra events fired when not required), but not always. In my particular situation, this behaviour collided with a Model::saved() callback expecting some job to be always done by…

Keep reading

Falling in a Dot

After many hours debugging a Laravel application, I've found the issue. The Request object handles input arrays using a so called "dot notation", to permit you to directly access structured informations in the form of $name = $request->input('products.0.name'); That's really cool. Until you don't give a fuck to arrays direct access, but indeed you need variables containing a dot in the name in your POSTed data. Those will be silently replaced with underscores, and you will spend a whole evening trying to give a sense to…

Keep reading

Get Informed by Troubles

Today I opened the logs of a Laravel application of mine, publicly available. And found lots of exceptions. Quickly, I realized those were generated by a new user trying to do stuffs no one ever tried (and no one ever noticed as failing). Once the issues were fixed, I decided that the problem had to be resolved: how to stay informed about errors of my applications, avoiding the boring routine of counsulting logs every day? Reading logs is sysadmin's job, I'm a developer, my job is to be lazy... So,…

Keep reading

Multilaravel

I have a Laravel application with a few dependencies, but it is enough to require almost 200MB on disk. I suppose this is the price for convenient dependencies installation and upgrade... This application has to be hosted in multiple instances, but it seems not a viable solution to duplicate everything for all of them. So, I've managed to convince a single instance to act in different ways accordly to the web domain from it is reached. In bootstrap/app.php, just below $app initialization, I've added if (true) { // this is…

Keep reading

Diving into Laravel Password Reset

Laravel provides out-of-the-box users management, handling authentication, password recovery, authorization and much more. But to work it expects some preconditions, and if you violate those preconditions you have to manually re-wire many things. The precondition I've violated today is that users have not a single associated email address, but many contacts of different types are listed in a different table of the database. This implies that password recovery mechanism has no longer a mail address to which send the reset link, and everything breaks badly. Anyway, hacking around I've been…

Keep reading

Laravel Dynamic Mail Configuration

Use case: from a Laravel application, use a dynamic (database driven) configuration for sending mails. Eventually, different for each user which is actually logged in. Everywhere on the internet you find references to this thread on a forum, raccomanding to load the configuration and create a new Mailer to overwrite the one registered at bootstrap, but it is obsolete: the mentioned share method no longer exists in Laravel 5.4. Probably there is a different way to do the same thing, but I've achieved my goal in easier way: don't…

Keep reading

They Are Many

In a complex Laravel application I'm working on, I had to implement a dynamic system to integrate external and heterogeneous sources of data. So I built on the ServiceProviders feature provided by Laravel and created a ContentsDriver abstract class including the internal events handling flow and to be extended by the different effective files each implementing a source. Now I have to dynamically create those drivers on behalf of a configuration got from the database, and the whole construction breaks down: each ContentsDriver handles a single source, I would have…

Keep reading

Assets Minification Salt and Pepper

Recently I discovered this awesome Laravel module to minify and aggregate assets. My only issue was about generated hashes for aggregated files: as I had to distribute the files on different balanced servers I could not depend on mtime timestamps to salt them (as last git pull time could slightly change on different servers), I could not leave the hashes depending only on original filenames (as they never change, and so did the hash, leaving rotting copies of the assets on the users' browser caches), so I had to leverage…

Keep reading