Build An Uptime Monitor with Inertia
This episode is for members only

Sign up to access "Build An Uptime Monitor with Inertia" right now.

Get started
Already a member? Sign in to continue
Playing
13. Validating and authorizing endpoint stores

Episodes

0%
Your progress
  • Total: 4h 59m
  • Played: 0m
  • Remaining: 4h 59m
Join or sign in to track your progress
01. Introduction
01. Introduction and demo
6m 33s
0%
02. A fresh Inertia project
6m 7s
0%
02. Sites
03. Site and dashboard setup
8m 59s
0%
04. Building the site selector dropdown
12m 22s
0%
05. Making use of API resources
4m 14s
0%
06. Setting the default site
10m 37s
0%
07. Setting up Vue modals
4m 34s
0%
08. Creating a site
18m 18s
0%
03. Endpoints
09. Setting up endpoints
4m 23s
0%
10. Enum endpoint frequencies
3m 50s
0%
11. Creating the endpoint form
12m 58s
0%
12. Storing an endpoint
7m 21s
0%
13. Validating and authorizing endpoint stores
7m 6s
0%
14. Normalizing the endpoint location
6m 4s
0%
15. Displaying endpoints
6m 22s
0%
16. Deleting endpoints
6m 21s
0%
17. Toggling inline editing for endpoints
5m 12s
0%
18. Applying a watcher to the endpoint form
5m 31s
0%
19. Storing endpoint edits
8m 56s
0%
04. Checking endpoints
20. Determining endpoints to check
2m 57s
0%
21. Creating a job to perform a check
3m 21s
0%
22. Making an HTTP request
3m 39s
0%
23. Scheduling checks every second
4m 27s
0%
24. Setting up the check relationship
3m 14s
0%
25. Updating the job
2m 10s
0%
26. Showing the last status
12m 50s
0%
27. Expanded list of checks
14m 10s
0%
28. The response body modal
2m 49s
0%
29. Authorizing the endpoint details
2m 27s
0%
30. Calculating uptime for endpoints
8m 29s
0%
05. Queuing
31. Setting up queues
3m 21s
0%
32. Queuing the endpoint check
7m 26s
0%
06. Email notifications
33. Setting up email in Laravel
5m 8s
0%
34. Site model email notification storage
3m 5s
0%
35. Adding email addresses via the UI
17m 24s
0%
36. Listing and deleting email addresses
7m 14s
0%
07. Downtime notifications
37. Observing when to notify
10m 51s
0%
38. Creating an endpoint down notification
10m 46s
0%
39. Creating an endpoint recovery notification
8m 9s
0%
40. Making the emails a bit friendlier
3m 50s
0%
08. Extras
41. Deleting sites
5m 9s
0%
42. Eager loading
4m 44s
0%
43. Recovery notification bug
2m 31s
0%
44. No sites fix and placeholder
3m 25s
0%

Transcript

00:00
There are a couple of things we want to do in this endpoint store controller. First of all, validation. So we need to make sure that the location and really importantly the frequency are validated properly. And also we need to apply some authorization because we're just allowing any site to be passed in.
00:16
So technically at the moment anyone can post an endpoint to anyone's site via the ID. Now before we do any of that I'm just going to go ahead and add in some middleware in here because we do need to be authenticated to access this. So we're just going to add in our basic auth middleware.
00:33
Okay, so for validation and for authorization we are going to go ahead and use a form request like we've already seen. So let's go ahead and make out a request for this. And of course we're going to call this endpoint store request. So let's start with the validation. I'm going to switch this over to endpoint store request here first of all.
00:54
And let's open this up and fill this in. So we'll leave authorization for now. But for the validation we want the location at the moment at least just to be required. We're going to be normalizing this in the next episode.
01:07
But really what we want to do is focus on the frequency. How are we going to validate this enum to make sure the value that's being passed here, like 60, 120, whatever it may be, exists within that enum. Well first of all we want this to be required.
01:23
So that's an easy rule. And then it's very, very easy in Laravel to validate that a value coming in from a form like this exists with an enum because Laravel has a enum rule for this. So we're going to go ahead and create a new enum class that comes from the validation rules enum class section.
01:43
And then we're going to go ahead and pass in our endpoint frequency fully qualified namespace. And that is it. So now if any value that we pass into here does not exist within here, then it's going to fail the validation, which is great.
01:58
So what we can now do is head back over to our dashboard, come up to the form here, and go ahead and add in an input error. So let's go ahead and add this in now. Input error.
02:08
We'll go ahead and give this a class of margin top two. And the message here is going to come from our endpoint form, errors, and location. So that's the location validation done. We just probably need to go ahead and pull the component in for this as well.
02:26
So input error. And we're done. Okay, let's try this out. Hit add.
02:32
And yeah, we get this action is unauthorized because over in our store request here, this is set to false. Let's just turn that to true before we go any further. Okay, there we go. The location field is required.
02:46
Now, we're not going to create a validation output message for this dropdown because technically people should not be changing this value anyway. It's not some free text value, so it shouldn't really have a validation rule. But we're going to try this out.
02:59
So we could go in here and fiddle around with the value that's being stored. So let's inspect this element, open up this select, and we'll go ahead and set five minutes to just some silly number. So if we do that and we go ahead and choose five minutes and say ABC and hit add, that shouldn't work.
03:19
So if we just go over and give that a refresh. Well, yeah, it kind of has worked and hasn't worked. It's reverted back to the default value of 300, which is absolutely fine. But either way, it's not going to work because that value that's being passed in is being validated via this just here.
03:36
Okay, so really importantly, we're now going to focus on the authorization for this. I'm not going to demonstrate this out because it's a little bit tricky, but technically what anyone could do is send a post request through to slash sites slash and then any site on the system regardless if that user owns that site
03:54
and create an endpoint, which is obviously a serious issue. So inside of authorize, what we're going to do is make use of policies within Laravel, which you may or may not have worked with. So I'm going to go ahead and make our policy and we'll go through this.
04:08
Now this isn't going to be an endpoint policy because we're creating an endpoint in the context of a site. So I'm going to put this under a site policy. We are going to create an endpoint policy later, but effectively what a policy is going to allow us to do if we just open up this site policy is down here,
04:24
create a list of methods which are like rules, things that we can and can't do. So what we can do here is create a rule called store endpoint. So can we store an endpoint? Let's just return false from here now just so we can see this fail.
04:39
Now into this we get a user if they are authenticated. This is optional so they may not be passed in, but we know for doing these kind of things the user should always be there and we get the site. So if we think about this in terms of a user storing an endpoint on a site,
04:56
they can store an endpoint. What is the rule going to be here? What's the check that we're going to perform? Well, it's going to be that the user's ID who is performing this action equals the site user ID. Basically, they must own that site to be able to store an endpoint.
05:16
So that's the rule in there. We'll leave false in here now so we can check this is working and we're actually going to get rid of the constructor in here because we don't need this just at the moment. Okay, so how do we register this policy? Well, we do this over in the auth service provider.
05:30
If we come down here to go up a little bit, we've got a list of policies just here. We've already got one created in here for us just to demonstrate how this works. So we're going to go ahead and grab the fully qualified namespace to the site and we're going to attach this to the site policy like so.
05:47
Now we need to do is perform this check under our request just here under our authorize request. So we're going to go ahead and return and remember we're working here because we're in a form request in the context of a Laravel request. So we can still access the user from inside of here and on this we're going to go ahead and say can
06:09
and we're going to give the name of the action that we want to authorize and that is store endpoint. So the user can store an endpoint. Can they store this endpoint? Now we need to pass in the site as well because we're in the context of a request and because we are using root model binding here to pass the site in,
06:30
this exists on this request as this site. So can this user store an endpoint on this site? Reads really nicely. Now we can check if this works. So let's go over and hit add and sure enough we get a 403. It is not authorized.
06:48
That is obviously because what we did over in our site policy was always return false. But now we can get rid of that and perform the actual check to see if a user can store an endpoint and obviously because I own this site I can do that. The validation fails but we can now perform that action.

Episode summary

In this episode, we're tackling validation and authorization for our endpoint store controller. We kick things off by making sure that whenever someone tries to add an endpoint, the input fields like location and especially frequency are properly validated. This means checking that frequency values actually exist in our defined enum using Laravel's built-in enum validation rule, and making sure location isn't empty.

Next up, we lock things down with authentication middleware, so only logged-in users can hit this controller. But we don't stop there: we introduce form requests to handle all our validation and authorization logic cleanly. We create a custom EndpointStoreRequest where the validation rules live, and we wire up input error messages so users see immediate feedback if they make mistakes.

For the security bit, we talk about why authorization is crucial—otherwise, someone could add endpoints to any site, even if they don't own it! To fix this, we create a policy (SitePolicy) that checks if the user actually owns the site before letting them add an endpoint. We walk through registering and using this policy in Laravel, showing how attempts to add endpoints by unauthorized users are rejected with a 403 error. Then, after flipping the policy to do the proper user check, everything works as intended for legit site owners.

By the end, we've locked down our endpoint store so that only authorized, authenticated users can add endpoints, and only with valid data.

Episode discussion

No comments, yet. Be the first!