Is Laravel Livewire actually secure?
HTML-код
- Опубликовано: 7 сен 2024
- There are security concerns that you have to think about when building applications in Laravel and Livewire. But how can we fix some of those concerns? Laravel gives you default security policies out of the box, but how can we apply them in Laravel Livewire. And do we actually need them?
Let's take a look.
(Take a look at the Livewire docs on security for even more ways on how to keep your Livewire app secure. ☺️)
Links:
Laravel Video on Authorization: • Authorization in Larav...
Livewire Docs on Security: livewire.larav...
Keep creating.
---
📹 *Watch My VSCode Setup Video:* • My Minimal and Beautif...
🎓 *Make VSCode Awesome - Caleb Porzio's Course (support me with this link):* gumroad.com/a/...
I tend to put a global scope on the models that are only accessible to own users. Then it becomes really easy. No need to ad any extra checks and global scope is already applied.
That's a great option. Thanks for chiming in. I knew it was possible but I forgot what it was called. Since policies work when you're passing in a single Model (view), but I couldn't remember how to do it for listing all todos like this.
This is great! ☺️
Isn't that susceptible to deletion of other peoples' entities or is it then protected with Livewire's fingerprinting of the payloads sent from/to server?
@@ward7576 deletion is protected by spatie permissions and only a few roles has deletion permission.
Can u explain?
I was sold laravel for being secure and having very good guiderails and not having to worry about security. It has lived up to that reputation as long as I do my part right 😊
Laravel allows you to turn off all guiderails and ignore all best practices when you really need it, I like to just not do it and follow them. Worked out great so far!
Exactly! There's a lot of great measures in place for you to use. It's just how to implement them for your given application. :)
Great solution. Laravel rules! But the possibility of injecting another ID into a front-end element is not specific to Livewire. Literally any front-end that uses that sort of architecture (on a click, submit an id for update/delete etc) can have this problem. So questioning if "Livewire is secure" in the video title is a bit questionable.. but still a great video and solution!
I think people who are used to JS system see Livewire as "just PHP" and so it feels weird and even shocking knowing you can manipulate back-end methods on the front-end. Sure, once you think about it you understand that's the only way it can work. But I think there's a stigma of if it's actually secure since you're more "open" in a way to vulnerabilities with being able to talk directly to the back-end like you do in Livewire.
Overall, I just wanted to show things I didn't really know when I first started in Livewire. :)
I love the content Josh and this subject is exactly what I was waiting for. I am looking for ACL type of the implementation and ways to implement it (understand how would it work on Laravel). I am using Filament 3 btw, slightly different approach but applicable.
Filament is so deeply rooted in these conventions, it's AWESOME. Most of how you enable people to view things, edit, etc. in Filament is all policies. ☺️
Thanks for this piece Josh! Very informative
Just curious, what Theme are you using for your PhpStorm and everything in between that?
Thanks Steve! This is actually VS Code and it's the Catppuccin Frappe theme. :)
Eu estou como Laravel 11, breeze e o Livewire 3 instalados. O comando “$this->reset('title')” está limpando a variável no Livewire, mas o campo input mantém o último texto digitado. A ao enviar o formulário com esse texto, a validação “required” informa que o campo está vazio. Você já viu isso acontecer no livewire?
Acho que você tem que colocar o atributo "wire:model" no campo input para o conectar com a propriedade respetiva no componente do Livewire para isso funcionar assim como você quer se lembro bem. Porém, há tempo que não utilizo Livewire, então não sei se isso for a solução idônea. Boa sorte e desculpe os meus erros. O português é o meu 4to idioma.
Loved the Dark Mode Theme 😍
Thank you. It's my *current* favorite. :)
@@joshcirrename please
ace video, thanks. Another reason to use Laravel as having policies built in and ready to go is yet something else you dont have to write, so long as you use it that is.
Another thing that could be done I guess is testing, so a feature or end to end test to see if you can legally CRUD as well as be stopped when not could be another safety net. I found livewire to have its own way of doing this in feature tests or you could use another framework like playwright which I like quite a lot.
I'd be interested to know what your thoughts are on such and which approaches you favor be it tdd, feature testing or tad as I call it ( test after development )
Thanks for watching Jon. :)
To be honest, I'm still learning about testing myself. I haven't really had to do it and haven't really forced myself to learn how to do it. So I might have to do a deep dive one day and then share my learnings. ☺️
@@joshcirre I'm one that tried unit testing, applying to everything thinking it was tdd to then have everything break when I refactored, back in the day. Now I take a more measured approach having seen sense in my earlier folly. I must admit I like the idea of the structures of TDD however getting something out of the door and to market early is also an attrractive proposition.
Laravel I believe is well tested and by using it t/w its oppinionated approach to architecture permits us to have an already reliable thing in our lives, even if we do nothing as regards testing, someone else has done at least some of the work for us
Very informative, thank you 😊
Super glad it helped you. ☺️
for multi tenant app better to use uuid as primary key not integer value, what's your thought?
It depends if it’s publicly accessible and the type of application, but I think UUIDs are for specific problems to solve and more for looks than anything. ☺️
The Mostly Technical Podcast with Aaron and Ian did a segment on this that was FANTASTIC.
@@joshcirre I will have look on that podcast, I have used hashid for one of my project with integer primary key which help me to hide id as hash
Great video! side question: what software are you using for screen recordings???
I'm actually just using OBS to record. ☺️
But this is general sense right? Also for the people using livewire... If you make an API that would delete the TODO, you would also check if the user is authorized to call a delete on that specific row? Or am I missing something
Well, you aren't missing anything that's exactly correct. But it might not be general sense if you're new to programming or even new to Livewire. Since Livewire feels "server first" it might be weird to think you can manipulate methods called on the client.
That being said, a lot of the content I am trying to share is for newer to "full stack" programmers (new to Laravel/Livewire) and then JS to Laravel devs where you don't think about stuff like this in JS world.
So you are finally using phpstome and laravel idea?which theme
I'm actually still using VS Code. :) This is the Catppuccin Frappe theme.
Hello josh, can I please get the GitHub repo of the code shown in this video? Thanks
Hey! Sure thing. I added onto my "Laravel Speedrun" repo since that was the project I was working in so there might be a few additional things in there that I didn't show in the video. But here you go!
github.com/joshcirre/laravel-speedrun
I have a bit of a weird question - does the database get queried every time we check if the user is authorized? I'm brand new to laravel and IDK how laravel auth works. Is it based on JWT tokens or on database sessions?
Auth is based on session and only once the user model is resolved and now it is available everywhere for you to use. Via Auth::user(), auth()->user(), $request->user(),
Also the same user object is password automatically by the framework for authorization policies. Not querying everytime.
Laravel is really easy to optimize for database queries.
Tip: install Laravel debugbar and you'll be able to see all queries executed for a request. Happy coding 💖
Atiq is spot on. The authorization piece is based on the session so it doesn't need to query the database for the user every single time. Also Debugbar is fantastic.
@@joshcirre Man coming from NextJS and coming to grips with this entire new model of work is so difficult for my brain. VSCode being terrible to use with laravel (even with all the fancy extensions) doesn't help it either. I wanna be a Laravel developer but at times I just wanna give up.
My “current” choice for VSCode extensions is Intelephense and then the TALL Stack plugin collection.
But, the Laravel team is working on a vs code extension to help with these issues. ☺️
@@nasko235679 No giving up on Laravel :) PHPStorm is your IDE friend if you've found VSCode hard to use. Imports are worst part, and PHPStorm takes care of it.
livewire is my first choice over react and vue...
I love Livewire. It's when everything started to "click" for me with Laravel. :)
This is something I didn't know about. Modifying the frontend. Thanks @joshcirre
Glad I could help. :)