Security Tip: Be Careful of Auth Helpers
[Tip#20] Laravel's helpers are great, but make sure you know everything they do before you use them.
Greetings my friends! I hope you learnt something from last week’s In Depth about Policy Objects. It was post I’d been thinking about for a while, so it was good to finally share it with you.
This week I’ve got another tip for you - this one comes from a vulnerable code pattern I’ve seen in use a number of times over the years. It may seem obvious in hindsight, but when you’re trying to hit a deadline implementing a “quick feature”, I can see how you’d arrive at this as a solution1.
🕵️ I do Laravel Security Audits, so please reach out if want me to hack you site and audit the security of your Laravel app. (August is booking out quickly.)
Be Careful of Auth Helpers
(There is a TL;DR at the bottom - I don’t want to ruin the suspense, but scroll down if you’re busy.)
Laravel’s Authentication system is incredibly powerful and coupled with the
Auth facade, it makes it trivial to access the logged in user where you need to. However, you also need to be careful - this power and ease also opens up some huge risks you need to be aware of.