Getting Started with Signed Routes in Laravel

Published on by

Getting Started with Signed Routes in Laravel image

In Laravel 5.6.12 a new signed URLs feature was introduced. In this article, we’ll work on enabling signed URLs in an application and look at a few options of how to use them.

Setup

First, you’ll need to run composer update laravel/framework in your terminal to pull the latest changes.

Second, you’ll need to add the new ValidateSignature to your route middleware in /app/Http/Kernel.php.

protected $routeMiddleware = [
// ...
'guest' => \App\Http\Middleware\RedirectIfAuthenticated::class,
+ 'signed' => \Illuminate\Routing\Middleware\ValidateSignature::class,
'throttle' => \Illuminate\Routing\Middleware\ThrottleRequests::class,
];
}

That’s it! Now you can start adding signed URLs to your application.

Starting Point

Let’s say we have an event planning application that we let users RSVP to upcoming events. We want to email all users a link so they can quickly respond “yes” or “no” if they are going. However, we don’t want to force them to log into the application again if they happen to be logged out.

Currently, we have the following event.rsvp route in our routes/web.php file.

Route::get('event/{id}/rsvp/{user}/{response}', function ($id, $user, $response) {
// Add response from user for event.
})->name('event.rsvp');

and our URL is generated like so

use \Illuminate\Support\Facades\URL;
 
Url::route('event.rsvp', ['id' => 25, 'user' => 100, 'response' => 'yes']);

which generates:

https://example.com/event/25/rsvp/100/yes

We can see that a curious or malicious user will be easily able to change any variables in the URL, which is far from ideal.

Signing a URL

Now that we have a prime candidate for a signed URL let’s add the signature handling.

First, we’ll need to add the signed middleware to our route definition.

Route::get('event/{id}/rsvp/{user}/{response}', function ($id, $user, $response) {
// Add response from user for event.
})->name('event.rsvp')->middleware('signed');

Next, we’ll change our Url::route() to Url::signedRoute() in our application.

use \Illuminate\Support\Facades\URL;
 
Url::signedRoute('event.rsvp', ['id' => 25, 'user' => 100, 'response' => 'yes']);

Laravel will generate a new signed URL given the route name, and all of the parameters, which generates a URL similar to the following:

https://example.com/event/25/rsvp/100/yes?
signature=30a3877b00890fff0d7ca25f82c6387ff16a98d21008ddc9689ed3c20ef13cd4

Now by using this signed URL if that same “curious” user tries to tamper with the user id, changing it from 100 to 101, or the signature ending with 4 to 5 Laravel will throw an Illuminate\Routing\Exceptions\InvalidSignatureException.

Temporary URLs

In addition to just signing a URL, Laravel gives us a great way to add an expiration to a signature as well. If we want the link to expire in 1 hour from generation, we can update our code to the following.

use \Illuminate\Support\Facades\URL;
 
URL::temporarySignedRoute('event.rsvp', now()->addHour(), [
'id' => 25,
'user' => 100,
'response' => 'yes'
]);

which generates the following:

https://example.com/event/25/rsvp/100/yes?expires=1521543365
&signature=d32f53ced4a781f287b612d21a3b7d3c38ebc5ae53951115bb9af4bc3f88a87a

Learn More

I encourage you to take a look at the Laravel Documentation and API Documentation for additional information and alternative usages.

Chris Gmyr photo

Full-stack web developer and coffee enthusiast.

Cube

Laravel Newsletter

Join 40k+ other developers and never miss out on new tips, tutorials, and more.

Laravel Forge logo

Laravel Forge

Easily create and manage your servers and deploy your Laravel applications in seconds.

Laravel Forge
Tinkerwell logo

Tinkerwell

The must-have code runner for Laravel developers. Tinker with AI, autocompletion and instant feedback on local and production environments.

Tinkerwell
No Compromises logo

No Compromises

Joel and Aaron, the two seasoned devs from the No Compromises podcast, are now available to hire for your Laravel project. ⬧ Flat rate of $7500/mo. ⬧ No lengthy sales process. ⬧ No contracts. ⬧ 100% money back guarantee.

No Compromises
Kirschbaum logo

Kirschbaum

Providing innovation and stability to ensure your web application succeeds.

Kirschbaum
Shift logo

Shift

Running an old Laravel version? Instant, automated Laravel upgrades and code modernization to keep your applications fresh.

Shift
Bacancy logo

Bacancy

Supercharge your project with a seasoned Laravel developer with 4-6 years of experience for just $2500/month. Get 160 hours of dedicated expertise & a risk-free 15-day trial. Schedule a call now!

Bacancy
Lucky Media logo

Lucky Media

Get Lucky Now - the ideal choice for Laravel Development, with over a decade of experience!

Lucky Media
Lunar: Laravel E-Commerce logo

Lunar: Laravel E-Commerce

E-Commerce for Laravel. An open-source package that brings the power of modern headless e-commerce functionality to Laravel.

Lunar: Laravel E-Commerce
LaraJobs logo

LaraJobs

The official Laravel job board

LaraJobs
SaaSykit: Laravel SaaS Starter Kit logo

SaaSykit: Laravel SaaS Starter Kit

SaaSykit is a Laravel SaaS Starter Kit that comes with all features required to run a modern SaaS. Payments, Beautiful Checkout, Admin Panel, User dashboard, Auth, Ready Components, Stats, Blog, Docs and more.

SaaSykit: Laravel SaaS Starter Kit
Rector logo

Rector

Your partner for seamless Laravel upgrades, cutting costs, and accelerating innovation for successful companies

Rector
MongoDB logo

MongoDB

Enhance your PHP applications with the powerful integration of MongoDB and Laravel, empowering developers to build applications with ease and efficiency. Support transactional, search, analytics and mobile use cases while using the familiar Eloquent APIs. Discover how MongoDB's flexible, modern database can transform your Laravel applications.

MongoDB

The latest

View all →
A Resize Plugin for Alpine.js image

A Resize Plugin for Alpine.js

Read article
How to Migrate MySQL from DBngin to Laravel Herd image

How to Migrate MySQL from DBngin to Laravel Herd

Read article
Learn to master Query Scopes in Laravel image

Learn to master Query Scopes in Laravel

Read article
How to Redirect Uppercase URLs to Lowercase with Laravel Middleware image

How to Redirect Uppercase URLs to Lowercase with Laravel Middleware

Read article
PHP 8.4 Alpha 1 is now out! image

PHP 8.4 Alpha 1 is now out!

Read article
Generics Added to Eloquent Builder in Laravel 11.15 image

Generics Added to Eloquent Builder in Laravel 11.15

Read article