[Log Rocket] /broadcasting/auth 403 on multiple customers#8737
[Log Rocket] /broadcasting/auth 403 on multiple customers#8737marcoAntonioNina wants to merge 4 commits intodevelopfrom
Conversation
…equests - Introduced BroadcastAuthDebug middleware to log failed broadcast authentication attempts (HTTP status codes 401, 403, 500) for debugging purposes. - Updated BroadcastServiceProvider to include the new middleware in the broadcast routes. - Enhanced private channel subscription logic in bootstrap.js to prevent 403 errors when no user is authenticated. - Updated channels.php to ensure anonymous users are denied access to specific channels.
…are directed to the Laravel app with cookies, reducing CORS-related 403 errors. - Added logic to handle user ID extraction from private channels, preventing subscription to channels of other users. - Improved error handling for private channel subscriptions when no user is authenticated.
… channel information parsing - Updated BroadcastAuthDebug middleware to log additional details on failed broadcast authentication attempts, including user anonymity and channel type.
|
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 2 potential issues.
Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.
This is the final PR Bugbot will review for you during this billing cycle
Your free Bugbot reviews will reset on March 21
Details
Your team is on the Bugbot Free tier. On this plan, Bugbot will review limited PRs each billing cycle for each member of your team.
To receive Bugbot reviews on all of your PRs, visit the Cursor dashboard to activate Pro and start your 14-day free trial.
| 'status' => $response->getStatusCode(), | ||
| 'user_id' => $user?->id, | ||
| 'user_type' => $user ? get_class($user) : null, | ||
| 'user_is_anonymous' => $user && method_exists($user, 'isAnonymous') ? $user->isAnonymous : null, |
There was a problem hiding this comment.
method_exists check fails for isAnonymous property
Medium Severity
isAnonymous is defined as a public property (public $isAnonymous = true;) on AnonymousUser, not a method. Using method_exists($user, 'isAnonymous') will always return false, so user_is_anonymous will always be logged as null — even for anonymous users. This undermines the debug middleware's ability to diagnose the exact 403 scenario it was built to investigate. The check needs property_exists instead.
| { | ||
| $response = $next($request); | ||
|
|
||
| if (!env('BROADCAST_AUTH_DEBUG', false)) { |
There was a problem hiding this comment.
Direct env() call fails with cached config
Medium Severity
env('BROADCAST_AUTH_DEBUG', false) is called directly instead of through a config value. In production Laravel deployments where php artisan config:cache has been run, the .env file isn't loaded, so env() will always return the default false. Since BROADCAST_AUTH_DEBUG isn't registered in any config file, this middleware can never be activated in a cached-config environment — exactly the production scenario it's meant to debug.
1 participant
Issue & Reproduction Steps
The 403 error is because it has permissions on the broadcasting channel.
Solution
How to Test
The steps to reproduce the problem are uncertain; you should only check that notifications are working correctly.
Related Tickets & Packages
Code Review Checklist
ci:deploy
Note
Medium Risk
Touches realtime auth and channel authorization paths; misconfiguration or overly strict checks could block legitimate subscriptions/notifications, though changes are mostly defensive and the logging is opt-in.
Overview
Reduces intermittent
/broadcasting/auth403s by hardening both client and server broadcast auth behavior.On the backend, broadcasting routes now run under
auth:web,anonand a new opt-inBroadcastAuthDebugmiddleware (enabled viaBROADCAST_AUTH_DEBUG) logs detailed context for failed auth responses. Channel authorization callbacks now explicitly deny unauthenticated/AnonymousUseraccess and returnfalse(instead ofnull) for invalid IDs.On the frontend, Echo’s broadcasting config is adjusted to default
authEndpointto the app origin and enablewithCredentials, andEcho.private()is wrapped to no-op when there is no current user or when subscribing to another user’s private channel.Written by Cursor Bugbot for commit 92b54eb. This will update automatically on new commits. Configure here.