rosslh/coolify
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
coolify/app/Http/Middleware
History
Andras Bacsai e1d4b4682e fix: harden TrustHosts middleware and use base_url() for password reset links 
- Fix circular cache dependency in TrustHosts where handle() checked cache
  before hosts() could populate it, causing host validation to never activate
- Validate both Host and X-Forwarded-Host headers against trusted hosts list
  (X-Forwarded-Host is checked before TrustProxies applies it to the request)
- Use base_url() instead of url() for password reset link generation so the
  URL is derived from server-side config (FQDN / public IP) instead of the
  request context
- Strip port from X-Forwarded-Host before matching (e.g. host:443 → host)
- Add tests for host validation, cache population, and reset URL generation

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-26 18:39:54 +01:00
..
ApiAbility.php feat: introduce root permission 2024-12-09 10:52:38 +01:00
ApiAllowed.php refactor(dns-validation): rename DNS validation functions for consistency and clarity, and remove unused code 2025-09-09 09:00:35 +02:00
ApiSensitiveData.php fix: root + read:sensive could read senstive data with a middlewarew 2024-12-09 11:10:35 +01:00
Authenticate.php init of v4 🌮 2023-03-17 15:33:48 +01:00
CanAccessTerminal.php refactor(auth): simplify access control logic in CanAccessTerminal and ServerPolicy by allowing all users to perform actions 2025-08-28 10:48:24 +02:00
CanCreateResources.php feat(acl): Change views/backend code to able to use proper ACL's later on. Currently it is not enabled. 2025-08-26 10:27:38 +02:00
CanUpdateResource.php feat(acl): Change views/backend code to able to use proper ACL's later on. Currently it is not enabled. 2025-08-26 10:27:38 +02:00
CheckForcePasswordReset.php chore: prepare for PR 2026-02-24 10:17:16 +01:00
DecideWhatToDoWithUser.php fix(team): improve team retrieval and session handling for users 2025-12-28 14:50:59 +01:00
EncryptCookies.php init of v4 🌮 2023-03-17 15:33:48 +01:00
PreventRequestsDuringMaintenance.php Fix styling 2024-06-10 20:43:34 +00:00
RedirectIfAuthenticated.php Fix styling 2024-06-10 20:43:34 +00:00
TrimStrings.php init of v4 🌮 2023-03-17 15:33:48 +01:00
TrustHosts.php fix: harden TrustHosts middleware and use base_url() for password reset links 2026-03-26 18:39:54 +01:00
TrustProxies.php fix(subscription): harden quantity updates and proxy trust behavior 2026-03-03 12:28:16 +01:00
ValidateSignature.php init of v4 🌮 2023-03-17 15:33:48 +01:00
VerifyCsrfToken.php fix(webhooks): exclude webhook routes from CSRF protection (#6200) 2025-07-18 19:04:08 +02:00