Dealing with expired signed URLs in Laravel
source link: https://freek.dev/1977-dealing-with-expired-signed-urls-in-laravel
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Dealing with expired signed URLs in Laravel
Original – May 6th 2021 by Freek Van der Herten – 2 minute read
Out of the box, Laravel comes with the ability to generate "signed" URLs. These URLs have a hash in their query string that verifies that the URL was not modified.
At Flare, we use these signed URLs to add action links in mail notifications. The action links allow users to snooze and resolve errors right from the mail without having to be logged in. Pretty convenient!
My buddy Dries Vints noticed a slight drawback. He got a mail from Flare that contains these action links. A few hours after the mail arrived, he clicked one of the action links. This is what he saw.
This error screen is confusing: you might think that the links in the mail are invalid. To keep things secure, we use a short lifetime for our signed URLs. Dries got this screen because the link had expired.
We can improve on this by creating a dedicated error message when clicking expired or invalid links. Luckily, this is not that difficult.
When you try to validate a signed URL and the validation fails, Laravel will throw a dedicated exception Illuminate\Routing\Exceptions\InvalidSignatureException
In your exception handler, you can listen for that exception and render a dedicated view.
// in app/Exceptions/Handler.php
use Illuminate\Routing\Exceptions\InvalidSignatureException;
public function register()
{
$this->renderable(function (InvalidSignatureException $exception) {
return response()->view('error.link-expired', status: 403);
});
}
With that code in place, this is what Dries will see when clicking another expired link in the future.
And that is all there is to it. To avoid confusions for your users, I highly recommend setting up a dedicated error message when using signed URLs.
Thanks for bringing this to my attention, Dries.
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK