This episode is for members only

Sign up to access "Build An Uptime Monitor with Inertia" right now.

Get started
Already a member? Sign in to continue
13. Validating and authorizing endpoint stores


Your progress
  • Total: 4h 59m
  • Played: 0m
  • Remaining: 4h 59m
Join or sign in to track your progress


There are a couple of things we want to do in this endpoint store controller. First of all, validation. So we need to make sure that the location and really importantly the frequency are validated properly. And also we need to apply some authorization because we're just allowing any site to be passed in.
So technically at the moment anyone can post an endpoint to anyone's site via the ID. Now before we do any of that I'm just going to go ahead and add in some middleware in here because we do need to be authenticated to access this. So we're just going to add in our basic auth middleware.
Okay, so for validation and for authorization we are going to go ahead and use a form request like we've already seen. So let's go ahead and make out a request for this. And of course we're going to call this endpoint store request. So let's start with the validation. I'm going to switch this over to endpoint store request here first of all.
And let's open this up and fill this in. So we'll leave authorization for now. But for the validation we want the location at the moment at least just to be required. We're going to be normalizing this in the next episode.
But really what we want to do is focus on the frequency. How are we going to validate this enum to make sure the value that's being passed here, like 60, 120, whatever it may be, exists within that enum. Well first of all we want this to be required.
So that's an easy rule. And then it's very, very easy in Laravel to validate that a value coming in from a form like this exists with an enum because Laravel has a enum rule for this. So we're going to go ahead and create a new enum class that comes from the validation rules enum class section.
And then we're going to go ahead and pass in our endpoint frequency fully qualified namespace. And that is it. So now if any value that we pass into here does not exist within here, then it's going to fail the validation, which is great.
So what we can now do is head back over to our dashboard, come up to the form here, and go ahead and add in an input error. So let's go ahead and add this in now. Input error.
We'll go ahead and give this a class of margin top two. And the message here is going to come from our endpoint form, errors, and location. So that's the location validation done. We just probably need to go ahead and pull the component in for this as well.
So input error. And we're done. Okay, let's try this out. Hit add.
And yeah, we get this action is unauthorized because over in our store request here, this is set to false. Let's just turn that to true before we go any further. Okay, there we go. The location field is required.
Now, we're not going to create a validation output message for this dropdown because technically people should not be changing this value anyway. It's not some free text value, so it shouldn't really have a validation rule. But we're going to try this out.
So we could go in here and fiddle around with the value that's being stored. So let's inspect this element, open up this select, and we'll go ahead and set five minutes to just some silly number. So if we do that and we go ahead and choose five minutes and say ABC and hit add, that shouldn't work.
So if we just go over and give that a refresh. Well, yeah, it kind of has worked and hasn't worked. It's reverted back to the default value of 300, which is absolutely fine. But either way, it's not going to work because that value that's being passed in is being validated via this just here.
Okay, so really importantly, we're now going to focus on the authorization for this. I'm not going to demonstrate this out because it's a little bit tricky, but technically what anyone could do is send a post request through to slash sites slash and then any site on the system regardless if that user owns that site
and create an endpoint, which is obviously a serious issue. So inside of authorize, what we're going to do is make use of policies within Laravel, which you may or may not have worked with. So I'm going to go ahead and make our policy and we'll go through this.
Now this isn't going to be an endpoint policy because we're creating an endpoint in the context of a site. So I'm going to put this under a site policy. We are going to create an endpoint policy later, but effectively what a policy is going to allow us to do if we just open up this site policy is down here,
create a list of methods which are like rules, things that we can and can't do. So what we can do here is create a rule called store endpoint. So can we store an endpoint? Let's just return false from here now just so we can see this fail.
Now into this we get a user if they are authenticated. This is optional so they may not be passed in, but we know for doing these kind of things the user should always be there and we get the site. So if we think about this in terms of a user storing an endpoint on a site,
they can store an endpoint. What is the rule going to be here? What's the check that we're going to perform? Well, it's going to be that the user's ID who is performing this action equals the site user ID. Basically, they must own that site to be able to store an endpoint.
So that's the rule in there. We'll leave false in here now so we can check this is working and we're actually going to get rid of the constructor in here because we don't need this just at the moment. Okay, so how do we register this policy? Well, we do this over in the auth service provider.
If we come down here to go up a little bit, we've got a list of policies just here. We've already got one created in here for us just to demonstrate how this works. So we're going to go ahead and grab the fully qualified namespace to the site and we're going to attach this to the site policy like so.
Now we need to do is perform this check under our request just here under our authorize request. So we're going to go ahead and return and remember we're working here because we're in a form request in the context of a Laravel request. So we can still access the user from inside of here and on this we're going to go ahead and say can
and we're going to give the name of the action that we want to authorize and that is store endpoint. So the user can store an endpoint. Can they store this endpoint? Now we need to pass in the site as well because we're in the context of a request and because we are using root model binding here to pass the site in,
this exists on this request as this site. So can this user store an endpoint on this site? Reads really nicely. Now we can check if this works. So let's go over and hit add and sure enough we get a 403. It is not authorized.
That is obviously because what we did over in our site policy was always return false. But now we can get rid of that and perform the actual check to see if a user can store an endpoint and obviously because I own this site I can do that. The validation fails but we can now perform that action.
44 episodes4 hrs 59 mins


Ready to dive into Inertia? Let's build a real-world app with Laravel, Inertia and Vue! If you're already working with Inertia, you'll pick up some tips and techniques for future projects.

This uptime monitor allows you to create and switch between sites, then add endpoints to monitor with frequency intervals. Using the power of scheduling and queues, it'll automatically alert the email addresses you've added via the UI when an endpoint goes down.

In this course, you'll learn to:

  • Build a real app from scratch with Inertia
  • Work with Laravel queues
  • Perform actions on models at user-defined intervals
  • Work with sub-minute schedules in Laravel
  • Send out channel notifications with Laravel
  • Use API resources to simplify Inertia data
  • Organise apps with events and observers
  • Create modals in Vue
  • Perform inline editing with Inertia forms
Alex Garrett-Smith
Alex Garrett-Smith
Hey, I'm the founder of Codecourse!


No comments, yet. Be the first to leave a comment.