Latest Update broke auth #408
Comments
|
Hey there, thanks for reporting this issue. We'll need more info and/or code to debug this further. Can you please create a repository with the command below, commit the code that reproduces the issue as one separate commit on the main/master branch and share the repository here? Please make sure that you have the latest version of the Laravel installer in order to run this command. Please also make sure you have both Git & the GitHub CLI tool properly set up. Do not amend and create a separate commit with your custom changes. After you've posted the repository, we'll try to reproduce the issue. Thanks! |
|
I also noticed this, I employ a custom authorizer because I use sanctum API tokens. But this is no longer supported, it seems mainly because of changes in Pusher. Instead of that I now use this, which seems to work: Maybe this helps @robgordon89 ? This isn't really documented anywhere. |
|
How can I use a custom authorizer that would post with axios? I'm using Breeze Nextjs with Breeze API only (Laravel), Sanctum requires CSRF tokens and that'd be saved when the auth happens. In But now, my broadcasting/auth url defaults to the frontend url, instead of the backend url I set. If I set channelAuthorization endpoint, then there's no longer a CSRF token that my axios had when logging in. |
|
Check the source of Would be nice to have some proper documentation for this. |
|
I'm having the same problem. I was trying to authenticate using the 1.18.0 version, but everything i tried wasn't working. I downgraded it to 1.17.1 and everything works fine. |
|
My application has Further, after moving from |
|
Here are some repro steps, may or may not be the same issue as everyone is facing, or at least related. It looks like the options are being malformed under some conditions. Error in FF is index.html And Something to do with fetching the csrf token from the meta tag, and the structure of the channelAuth options seems to mess with the _defaultOptions and knock the headers key off. Also in this particular instance, if relevant - the CSRF token in the page isn't even the one we want. Our Vue app which uses echo is embedded in a bunch of sites, which may or may not have their own tokens in the <head>, we don't even want the token auto-fetched... |
|
Hello! In the project I am working with using Angular and a Laravel API it also breaks the auth requrest. |
|
Hey there, thanks for reporting this issue. We'll need more info and/or code to debug this further. Can you please create a repository with the command below, commit the code that reproduces the issue as one separate commit on the main/master branch and share the repository here? Please make sure that you have the latest version of the Laravel installer in order to run this command. Please also make sure you have both Git & the GitHub CLI tool properly set up. Do not amend and create a separate commit with your custom changes. After you've posted the repository, we'll try to reproduce the issue. Thanks! |
I thought I was the only one. I've been struggling for days with the auth part as well. Found out The issue is that whatever is in |
Hello @filipescaglia |
In |
|
Also broke our config updating from 1.17.1 to 1.18.0 import ApiService from "@/services/ApiService";
import Echo from "laravel-echo";
import Pusher from "pusher-js";
const initEchoConfig = () => {
window.Pusher = Pusher;
window.Echo = new Echo({
broadcaster: "reverb",
key: import.meta.env.VITE_REVERB_APP_KEY,
wsHost: import.meta.env.VITE_REVERB_HOST,
wsPort: import.meta.env.VITE_REVERB_PORT ?? 80,
wssPort: import.meta.env.VITE_REVERB_PORT ?? 443,
forceTLS: (import.meta.env.VITE_REVERB_SCHEME ?? "https") === "https",
enabledTransports: ["ws", "wss"],
authorizer: (channel: any) => {
return {
authorize: (socketId: string, callback: any) => {
ApiService.post(
import.meta.env.VITE_APP_API_URL + "/broadcasting/auth",
{
socket_id: socketId,
channel_name: channel.name,
},
)
.then((response) => {
callback(false, response.data);
})
.catch((error) => {
console.debug("error: ", +error.data);
callback(false, error);
});
},
};
},
});
};
export default initEchoConfig; |
|
Someone can either submit a PR to fix or send in the reproducing repository so the team can look for a possible fix. |
|
It's a bit cumbersome to make a repository because besides the code it also involves setting up a Pusher compatible server. Either way it's clear that the removal of the IMHO this change should be reverted and a new version |
Technically based on how we handle changes for Socialite and Scout, 3rd party breaking changes doesn't dictate major release. Again, you are free to submit a PR but in order for the team to verify this and submit one we need a reproducing repository. |
|
Yup, just updated and saw this issue as well - our auth using the custom authorizer no longer worked, and we spent all day trying to figure out wtf is going on... This should have been in a 2.x release as it broke compatibility. At the very least, authorizer should have been deprecated, updated in the documentation and removed as part of a major version update.
If this is the case, you're breaking the semver standard, which everyone uses and depends on for their versioning of packages. It means that we should in fact only be allowing updates of patches, as the only way to dependably update this single package.
I'd also highly recommend that the EchoOptions (which are pretty small), should be correctly typed, as that would help resolve these issues immediately for devs (ie. it would have highlighted that the option is no longer valid, as the authorizer key would be highlighted as being invalid. I'd be happy to add a PR for that. It's very easy to reproduce - add an authorizer function, and note that it's never called. It seems also that this change mostly breaks those of us who are using laravel-echo within an SPA, of which we are too. |
|
Just figured out what was going on just now as well. Experiencing this issue too after the update. |
|
Here is what I'm finding. Echo is just a wrapper for Pusher. Pusher must have changed something involving the authorizer method some of us were using as seen in examples above and like this: const echoInstance = new Echo({
broadcaster: 'pusher',
key: process.env.NEXT_PUBLIC_PUSHER_APP_KEY,
cluster: process.env.NEXT_PUBLIC_PUSHER_CLUSTER,
authorizer: (channel) => ({
authorize: async (socketId, callback) => {
try {
const response = await axios.post('/broadcasting/auth', {
socket_id: socketId,
channel_name: channel.name,
});
callback(false, response.data);
} catch (error) {
console.error('Authorization error:', error);
callback(true, error);
}
},
}),
})We were using authorizer so we could inject our global axios instances that automatically included headers for auth and xsrf tokens. With the latest changes, we can't use that method anymore as it doesn't work. You now have to add the headers and the endpoint in the configuration and let it use it's own process to fetch the authorization: const echoInstance = new Echo({
broadcaster: 'pusher',
key: process.env.NEXT_PUBLIC_PUSHER_APP_KEY,
cluster: process.env.NEXT_PUBLIC_PUSHER_CLUSTER,
channelAuthorization: {
endpoint: `${api.defaults.baseURL}/broadcasting/auth`,
headers: {
Authorization: `Bearer ${session?.accessToken}`,
'X-XSRF-TOKEN':
document.cookie.match(/XSRF-TOKEN=(.*?);/)?.[1] || '',
},
},
});I can't find how else to inject your own axios instance anywhere but the above works now. |
|
I think I found the replacement for the deprecated authorizer in the pusher-js library. It's the customHandler option on channelAuthorization. For those of you who need to modify the api request, this is what I needed but you can see the similarities from the before (above) and after (below): const echoInstance = new Echo({
broadcaster: 'pusher',
key: process.env.NEXT_PUBLIC_PUSHER_APP_KEY,
cluster: process.env.NEXT_PUBLIC_PUSHER_CLUSTER,
channelAuthorization: {
customHandler: async (payload, callback) => {
const { socketId, channelName } = payload;
try {
const response = await axios.post(
'/broadcasting/auth',
new URLSearchParams({
socket_id: socketId,
channel_name: channelName,
}),
);
callback(null, response.data); // This may be different based on your implementation. I needed response.data.
} catch (error) {
console.error('Pusher channel auth error:', error);
callback(error, null);
}
},
},
});Someone should put in a PR to the Laravel Echo client documentation making this very clear on how to use your own axios or fetch instance with this configuration for Pusher. |
Confirmed this works with the Laravel Echo v1.18 and confirmed that authorizer option no longer works in this version. |
This is a good find, but if Echo is exposing 3rd party APIs through their own, it's something we should probably wrap correctly, to protect against these sorts of things. |
Echo Version
1.18.0
Laravel Version
11
PHP Version
8.3
NPM Version
8.19.4
Database Driver & Version
No response
Description
The latest release 1.18.0 broke channel auth please see attached, reverting back to 1.17.1 resolved it, I am not sure what the issue is i didnt have time to dig into it 👍
Thanks
Bob
Steps To Reproduce
Install 1.18.0
The text was updated successfully, but these errors were encountered: