d3b8d70f08
Centralize min/max server limits in Stripe quantity updates and wire them into Livewire subscription actions with price preview/update handling. Also improve host/proxy middleware behavior by trusting loopback hosts when FQDN is set and auto-enabling secure session cookies for HTTPS requests behind proxies when session.secure is unset. Includes feature tests for loopback trust and secure cookie auto-detection.
50 lines
1.5 KiB
PHP
50 lines
1.5 KiB
PHP
<?php
|
|
|
|
namespace App\Http\Middleware;
|
|
|
|
use Illuminate\Http\Middleware\TrustProxies as Middleware;
|
|
use Illuminate\Http\Request;
|
|
|
|
class TrustProxies extends Middleware
|
|
{
|
|
/**
|
|
* The trusted proxies for this application.
|
|
*
|
|
* @var array<int, string>|string|null
|
|
*/
|
|
protected $proxies = '*';
|
|
|
|
/**
|
|
* The headers that should be used to detect proxies.
|
|
*
|
|
* @var int
|
|
*/
|
|
protected $headers =
|
|
Request::HEADER_X_FORWARDED_FOR |
|
|
Request::HEADER_X_FORWARDED_HOST |
|
|
Request::HEADER_X_FORWARDED_PORT |
|
|
Request::HEADER_X_FORWARDED_PROTO |
|
|
Request::HEADER_X_FORWARDED_AWS_ELB;
|
|
|
|
/**
|
|
* Handle the request.
|
|
*
|
|
* Wraps $next so that after proxy headers are resolved (X-Forwarded-Proto processed),
|
|
* the Secure cookie flag is auto-enabled when the request is over HTTPS.
|
|
* This ensures session cookies are correctly marked Secure when behind an HTTPS
|
|
* reverse proxy (Cloudflare Tunnel, nginx, etc.) even when SESSION_SECURE_COOKIE
|
|
* is not explicitly set in .env.
|
|
*/
|
|
public function handle($request, \Closure $next)
|
|
{
|
|
return parent::handle($request, function ($request) use ($next) {
|
|
// At this point proxy headers have been applied to the request,
|
|
// so $request->secure() correctly reflects the actual protocol.
|
|
if ($request->secure() && config('session.secure') === null) {
|
|
config(['session.secure' => true]);
|
|
}
|
|
|
|
return $next($request);
|
|
});
|
|
}
|
|
}
|