Namek Dev
a developer's log
NamekDev

Laravel Logs with simplest HTTP Basic Auth

October 8, 2015

There’s a cool visual log viewer for Laravel 4/5: rap2hpoutre/laravel-log-viewer. Installation is short and straight-forward but logs shouldn’t be accessible by anyone. That’s why I setup access password. The easier, the better so this time I just used HTTP Basic Auth but without database.

After the Log Viewer is installed I add a new routing:

Route::group(['before' => 'auth.basic'], function() {
	Route::get('llogs', '\Rap2hpoutre\LaravelLogViewer\LogViewerController@index');

	Route::get('llogs-reset', function() {
		$files = new \Illuminate\Filesystem\Filesystem;
		foreach ($files->files(storage_path().'/logs') as $file) {
			$files->delete($file);
		}
	});
});

Laravel comes up with auth.basic  filter but that’s not what I want since it needs an access to database containing ‘users’ table. Instead, I just change that default filter to a simple custom one in app/filters.php :

Route::filter('auth.basic', function() {
    if (!isset($_ENV['SpecialAccessPassword']) || sha1(Request::getPassword()) != $_ENV['SpecialAccessPassword']) {
        if (!empty(Request::getPassword())) {
            Log::info('Logs: auth.basic bad password: '.Request::getPassword().' / '.Request::getUser());
        }
        $headers = ['WWW-Authenticate' => 'Basic'];
        return Response::make('Invalid credentials.', 401, $headers);
    }
});

My password hash (sha1) lies in .env.php  file.

In my case .htaccess  needed a modification, too. That’s what I got from Laravel’s Security:

RewriteCond %{HTTP:Authorization} ^(.+)$
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]

Great! Now my logs are protected by password!

Resources

php
comments powered by Disqus