[Log Rocket] /broadcasting/auth 403 on multiple customers#8737
[Log Rocket] /broadcasting/auth 403 on multiple customers#8737marcoAntonioNina wants to merge 6 commits intodevelopfrom
Conversation
…equests - Introduced BroadcastAuthDebug middleware to log failed broadcast authentication attempts (HTTP status codes 401, 403, 500) for debugging purposes. - Updated BroadcastServiceProvider to include the new middleware in the broadcast routes. - Enhanced private channel subscription logic in bootstrap.js to prevent 403 errors when no user is authenticated. - Updated channels.php to ensure anonymous users are denied access to specific channels.
…are directed to the Laravel app with cookies, reducing CORS-related 403 errors. - Added logic to handle user ID extraction from private channels, preventing subscription to channels of other users. - Improved error handling for private channel subscriptions when no user is authenticated.
… channel information parsing - Updated BroadcastAuthDebug middleware to log additional details on failed broadcast authentication attempts, including user anonymity and channel type.
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 2 potential issues.
Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.
This is the final PR Bugbot will review for you during this billing cycle
Your free Bugbot reviews will reset on March 21
Details
Your team is on the Bugbot Free tier. On this plan, Bugbot will review limited PRs each billing cycle for each member of your team.
To receive Bugbot reviews on all of your PRs, visit the Cursor dashboard to activate Pro and start your 14-day free trial.
| 'status' => $response->getStatusCode(), | ||
| 'user_id' => $user?->id, | ||
| 'user_type' => $user ? get_class($user) : null, | ||
| 'user_is_anonymous' => $user && method_exists($user, 'isAnonymous') ? $user->isAnonymous : null, |
There was a problem hiding this comment.
method_exists check fails for isAnonymous property
Medium Severity
isAnonymous is defined as a public property (public $isAnonymous = true;) on AnonymousUser, not a method. Using method_exists($user, 'isAnonymous') will always return false, so user_is_anonymous will always be logged as null — even for anonymous users. This undermines the debug middleware's ability to diagnose the exact 403 scenario it was built to investigate. The check needs property_exists instead.
|
|
QA server K8S was successfully deployed https://ci-938cf714d0.engk8s.processmaker.net |
2 participants
Issue & Reproduction Steps
The 403 error is because it has permissions on the broadcasting channel.
Solution
How to Test
The steps to reproduce the problem are uncertain; you should only check that notifications are working correctly.
Related Tickets & Packages
Code Review Checklist
ci:deploy
Note
Medium Risk
Touches broadcast authentication middleware/client subscription behavior and channel authorization callbacks, which can affect realtime notifications if misconfigured. Changes are gated for logging via
BROADCAST_AUTH_DEBUG, but the stricter anonymous-user checks may alter who can subscribe to channels.Overview
Reduces intermittent
/broadcasting/auth403s by making broadcast auth requests more reliable and easier to diagnose.Adds
BroadcastAuthDebugmiddleware (enabled viaBROADCAST_AUTH_DEBUG) to log detailed context only when broadcast auth returns 4xx/5xx, and moves broadcast route registration toBroadcastServiceProviderwithauth:web,anonplus this middleware.Tightens broadcast channel authorization to explicitly deny missing/
AnonymousUserprincipals and consistently returnfalsefor invalid inputs, and updates the JS Echo bootstrap to force same-originauthEndpointwith credentials and to no-op private subscriptions when there is no current user or when subscribing to another user’s channel.Written by Cursor Bugbot for commit 9ff5e1f. This will update automatically on new commits. Configure here.