Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/spatie/laravel-url-signer

Create and validate signed URLs with a limited lifetime
https://github.com/spatie/laravel-url-signer

laravel mail php security url

Last synced: about 2 months ago
JSON representation

Create and validate signed URLs with a limited lifetime

Host: GitHub
URL: https://github.com/spatie/laravel-url-signer
Owner: spatie
License: mit
Created: 2015-08-14T12:13:18.000Z (about 9 years ago)
Default Branch: main
Last Pushed: 2024-07-01T10:09:02.000Z (3 months ago)
Last Synced: 2024-07-23T02:16:54.433Z (about 2 months ago)
Topics: laravel, mail, php, security, url
Language: PHP
Homepage: https://freek.dev/248-url-signing-in-laravel
Size: 105 KB
Stars: 703
Watchers: 17
Forks: 49
Open Issues: 0
Metadata Files:
- Readme: README.md
- Changelog: CHANGELOG.md
- Funding: .github/FUNDING.yml
- License: LICENSE.md

Awesome Lists containing this project

awesome-laravel-framework - Laravel url signer - Create and validate signed URLs with a limited lifetime (Popular Packages)

README

        # Create signed URLs with a limited lifetime in Laravel

[![Latest Version on Packagist](https://img.shields.io/packagist/v/spatie/laravel-url-signer.svg?style=flat-square)](https://packagist.org/packages/spatie/laravel-url-signer)

[![Build Status](https://img.shields.io/travis/spatie/laravel-url-signer.svg?style=flat-square)](https://travis-ci.org/spatie/laravel-url-signer)

[![Quality Score](https://img.shields.io/scrutinizer/g/spatie/laravel-url-signer.svg?style=flat-square)](https://scrutinizer-ci.com/g/spatie/laravel-url-signer)

[![Total Downloads](https://img.shields.io/packagist/dt/spatie/laravel-url-signer.svg?style=flat-square)](https://packagist.org/packages/spatie/laravel-url-signer)

This package can create URLs with a limited lifetime. This is done by adding an expiration date and a signature to the URL.

The difference with [Laravel's native route signing](https://laravel.com/docs/master/urls#signed-urls) is that using this package:

- you can easily use signed URLs between different apps

- the signing secret used is not tied to the app key

- you can easily sign any URL (and not only a route belonging to your app)

This is how you can create signed URL that's valid for 30 days:

```php

use Spatie\UrlSigner\Laravel\Facades\UrlSigner;

UrlSigner::sign('https://myapp.com/protected-route', now()->addDays(30));

```

The output will look like this:

```

https://app.com/protected-route?expires=xxxxxx&signature=xxxxxx

```

The URL can be validated with the `validate`-function.

```php

// returns `true` if the signed URL is valid, `false` if not

UrlSigner::validate('https://app.com/protected-route?expires=xxxxxx&signature=xxxxxx');

```

The package also provides [a middleware to protect routes](https://github.com/spatie/laravel-url-signer#protecting-routes-with-middleware).

## Support us

[](https://spatie.be/github-ad-click/laravel-url-signer)

We invest a lot of resources into creating [best in class open source packages](https://spatie.be/open-source). You can support us by [buying one of our paid products](https://spatie.be/open-source/support-us).

We highly appreciate you sending us a postcard from your hometown, mentioning which of our package(s) you are using. You'll find our address on [our contact page](https://spatie.be/about-us). We publish all received postcards on [our virtual postcard wall](https://spatie.be/open-source/postcards).

## Installation

As you would have guessed the package can be installed via composer:

```bash

composer require spatie/laravel-url-signer

```

You must set an environment variable called `URL_SIGNER_SIGNATURE_KEY` and set it to a long secret value. This value will be used to sign and validate signed URLs.

```

php artisan generate:url-signer-signature-key

        {--s|show : Display the key instead of modifying files.}

        {--always-no : Skip generating key if it already exists.}

        {--f|force : Skip confirmation when overwriting an existing key.}

```

The configuration file can optionally be published via:

```bash

php artisan vendor:publish --tag="url-signer-config"

```

This is the content of the file:

```php

return [

    /*

    * This string is used the to generate a signature. You should

    * keep this value secret.

    */

    'signature_key' => env('URL_SIGNER_SIGNATURE_KEY'),

    /*

     * The default expiration time of a URL in seconds.

     */

    'default_expiration_time_in_seconds' => 60 * 60 * 24,

    /*

     * These strings are used a parameter names in a signed url.

     */

    'parameters' => [

        'expires' => 'expires',

        'signature' => 'signature',

    ],

];

```

## Usage

URL's can be signed with the `sign`-method:

```php

use Spatie\UrlSigner\Laravel\Facades\UrlSigner;

UrlSigner::sign('https://myapp.com/protected-route');

```

By default, the lifetime of an URL is one day. This value can be change in the config file.

If you want a custom lifetime, you can specify the number of days the URL should be valid:

```php

use Spatie\UrlSigner\Laravel\Facades\UrlSigner;

// the generated URL will be valid for 5 minutes.

UrlSigner::sign('https://myapp.com/protected-route', now()->addMinutes(5));

// alternatively you could also pass the amount of seconds

UrlSigner::sign('https://myapp.com/protected-route', 60 * 5);

```

### Validating URLs

To validate a signed URL, simply call the `validate()`-method. This method returns a boolean.

```php

use Spatie\UrlSigner\Laravel\Facades\UrlSigner;

UrlSigner::validate('https://app.com/protected-route?expires=xxxxxx&signature=xxxxxx');

```

### Protecting routes with middleware

The package provides a middleware to protect routes.

To use it you must first register the `Spatie\UrlSigner\Laravel\Middleware\ValidateSignature` as route middleware in your HTTP kernel.

```php

// in app/Http/Kernel.php

protected $routeMiddleware = [

    // ...

    'signed-url' => \Spatie\UrlSigner\Laravel\Middleware\ValidateSignature::class,

];

```

Next, you can apply it on any route you want.

```php

Route::get('protected-route', fn () => 'Hello secret world!')

    ->middleware('signed-url');

```

Your app will abort with a 403 status code if the route is called without a valid signature.

## Changelog

Please see [CHANGELOG](CHANGELOG.md) for more information what has changed recently.

## Testing

You can run the test using this command:

```bash

composer test

```

## Usage outside Laravel

If you're working on a non-Laravel project, you can use the [framework agnostic version](https://github.com/spatie/url-signer).

## Contributing

Please see [CONTRIBUTING](https://github.com/spatie/.github/blob/main/CONTRIBUTING.md) for details.

## Security

If you've found a bug regarding security please mail [[email protected]](mailto:[email protected]) instead of using the issue tracker.

## Postcardware

You're free to use this package, but if it makes it to your production environment we highly appreciate you sending us a postcard from your hometown, mentioning which of our package(s) you are using.

Our address is: Spatie, Kruikstraat 22, 2018 Antwerp, Belgium.

We publish all received postcards [on our company website](https://spatie.be/en/opensource/postcards).

## Credits

- [Freek Van der Herten](https://github.com/freekmurze)

- [Sebastian De Deyne](https://github.com/sebastiandedeyne)

- [All Contributors](../../contributors)

## License

The MIT License (MIT). Please see [License File](LICENSE.md) for more information.