Is Laravel Livewire actually secure?

Рет қаралды 10,598

Күн бұрын

Пікірлер: 48

@AtiqSamtia 6 ай бұрын

I tend to put a global scope on the models that are only accessible to own users. Then it becomes really easy. No need to ad any extra checks and global scope is already applied.

@joshcirre 6 ай бұрын

That's a great option. Thanks for chiming in. I knew it was possible but I forgot what it was called. Since policies work when you're passing in a single Model (view), but I couldn't remember how to do it for listing all todos like this. This is great! ☺️

@ward7576 5 ай бұрын

Isn't that susceptible to deletion of other peoples' entities or is it then protected with Livewire's fingerprinting of the payloads sent from/to server?

@AtiqSamtia 4 ай бұрын

@@ward7576 deletion is protected by spatie permissions and only a few roles has deletion permission.

@eziosan7208 4 ай бұрын

Can u explain?

@Stoney_Eagle 6 ай бұрын

I was sold laravel for being secure and having very good guiderails and not having to worry about security. It has lived up to that reputation as long as I do my part right 😊 Laravel allows you to turn off all guiderails and ignore all best practices when you really need it, I like to just not do it and follow them. Worked out great so far!

@joshcirre 6 ай бұрын

Exactly! There's a lot of great measures in place for you to use. It's just how to implement them for your given application. :)

@drewwellington2496 6 ай бұрын

Great solution. Laravel rules! But the possibility of injecting another ID into a front-end element is not specific to Livewire. Literally any front-end that uses that sort of architecture (on a click, submit an id for update/delete etc) can have this problem. So questioning if "Livewire is secure" in the video title is a bit questionable.. but still a great video and solution!

@joshcirre 6 ай бұрын

I think people who are used to JS system see Livewire as "just PHP" and so it feels weird and even shocking knowing you can manipulate back-end methods on the front-end. Sure, once you think about it you understand that's the only way it can work. But I think there's a stigma of if it's actually secure since you're more "open" in a way to vulnerabilities with being able to talk directly to the back-end like you do in Livewire. Overall, I just wanted to show things I didn't really know when I first started in Livewire. :)

@JamesAutoDude Ай бұрын

How does it know the specific policy file to check? Just based on the livewire class name?

@joshcirre Ай бұрын

It will check the policy based on the Model itself. So if you're using Route Model binding, it will apply it there or since we are finding the Todo first, then when we authorize that Todo it will grab the policy related to the Todo model. :)

@marcosaugustoschultzwutke6670 6 ай бұрын

Eu estou como Laravel 11, breeze e o Livewire 3 instalados. O comando “$this->reset('title')” está limpando a variável no Livewire, mas o campo input mantém o último texto digitado. A ao enviar o formulário com esse texto, a validação “required” informa que o campo está vazio. Você já viu isso acontecer no livewire?

@MaximillianHeth 5 ай бұрын

Acho que você tem que colocar o atributo "wire:model" no campo input para o conectar com a propriedade respetiva no componente do Livewire para isso funcionar assim como você quer se lembro bem. Porém, há tempo que não utilizo Livewire, então não sei se isso for a solução idônea. Boa sorte e desculpe os meus erros. O português é o meu 4to idioma.

@popetgirl 6 ай бұрын

for multi tenant app better to use uuid as primary key not integer value, what's your thought?

@joshcirre 6 ай бұрын

It depends if it’s publicly accessible and the type of application, but I think UUIDs are for specific problems to solve and more for looks than anything. ☺️ The Mostly Technical Podcast with Aaron and Ian did a segment on this that was FANTASTIC.

@popetgirl 6 ай бұрын

@@joshcirre I will have look on that podcast, I have used hashid for one of my project with integer primary key which help me to hide id as hash

@markos8971 6 ай бұрын

I love the content Josh and this subject is exactly what I was waiting for. I am looking for ACL type of the implementation and ways to implement it (understand how would it work on Laravel). I am using Filament 3 btw, slightly different approach but applicable.

@joshcirre 6 ай бұрын

Filament is so deeply rooted in these conventions, it's AWESOME. Most of how you enable people to view things, edit, etc. in Filament is all policies. ☺️

@exeis1052 6 ай бұрын

Hello josh, can I please get the GitHub repo of the code shown in this video? Thanks

@joshcirre 6 ай бұрын

Hey! Sure thing. I added onto my "Laravel Speedrun" repo since that was the project I was working in so there might be a few additional things in there that I didn't show in the video. But here you go! github.com/joshcirre/laravel-speedrun

@vanvanni_nl 6 ай бұрын

But this is general sense right? Also for the people using livewire... If you make an API that would delete the TODO, you would also check if the user is authorized to call a delete on that specific row? Or am I missing something

@joshcirre 6 ай бұрын

Well, you aren't missing anything that's exactly correct. But it might not be general sense if you're new to programming or even new to Livewire. Since Livewire feels "server first" it might be weird to think you can manipulate methods called on the client. That being said, a lot of the content I am trying to share is for newer to "full stack" programmers (new to Laravel/Livewire) and then JS to Laravel devs where you don't think about stuff like this in JS world.

@cuts_pro_trick 6 ай бұрын

So you are finally using phpstome and laravel idea?which theme

@joshcirre 6 ай бұрын

I'm actually still using VS Code. :) This is the Catppuccin Frappe theme.

@nasko235679 6 ай бұрын

I have a bit of a weird question - does the database get queried every time we check if the user is authorized? I'm brand new to laravel and IDK how laravel auth works. Is it based on JWT tokens or on database sessions?

@AtiqSamtia 6 ай бұрын

Auth is based on session and only once the user model is resolved and now it is available everywhere for you to use. Via Auth::user(), auth()->user(), $request->user(), Also the same user object is password automatically by the framework for authorization policies. Not querying everytime. Laravel is really easy to optimize for database queries. Tip: install Laravel debugbar and you'll be able to see all queries executed for a request. Happy coding 💖

@joshcirre 6 ай бұрын

Atiq is spot on. The authorization piece is based on the session so it doesn't need to query the database for the user every single time. Also Debugbar is fantastic.

@nasko235679 6 ай бұрын

@@joshcirre Man coming from NextJS and coming to grips with this entire new model of work is so difficult for my brain. VSCode being terrible to use with laravel (even with all the fancy extensions) doesn't help it either. I wanna be a Laravel developer but at times I just wanna give up.

@joshcirre 6 ай бұрын

My “current” choice for VSCode extensions is Intelephense and then the TALL Stack plugin collection. But, the Laravel team is working on a vs code extension to help with these issues. ☺️

@markos8971 6 ай бұрын

@@nasko235679 No giving up on Laravel :) PHPStorm is your IDE friend if you've found VSCode hard to use. Imports are worst part, and PHPStorm takes care of it.

@JonBrookes 6 ай бұрын

ace video, thanks. Another reason to use Laravel as having policies built in and ready to go is yet something else you dont have to write, so long as you use it that is. Another thing that could be done I guess is testing, so a feature or end to end test to see if you can legally CRUD as well as be stopped when not could be another safety net. I found livewire to have its own way of doing this in feature tests or you could use another framework like playwright which I like quite a lot. I'd be interested to know what your thoughts are on such and which approaches you favor be it tdd, feature testing or tad as I call it ( test after development )

@joshcirre 6 ай бұрын

Thanks for watching Jon. :) To be honest, I'm still learning about testing myself. I haven't really had to do it and haven't really forced myself to learn how to do it. So I might have to do a deep dive one day and then share my learnings. ☺️

@JonBrookes 6 ай бұрын

@@joshcirre I'm one that tried unit testing, applying to everything thinking it was tdd to then have everything break when I refactored, back in the day. Now I take a more measured approach having seen sense in my earlier folly. I must admit I like the idea of the structures of TDD however getting something out of the door and to market early is also an attrractive proposition. Laravel I believe is well tested and by using it t/w its oppinionated approach to architecture permits us to have an already reliable thing in our lives, even if we do nothing as regards testing, someone else has done at least some of the work for us