Question 407580 in Laravel Question posted in
The official Laravel Documentation can be found here.

Laravel – Why am I getting 401 errors on Livewire uploads

When I try to upload a file on the production server the upload goes to 100% and then says error uploading. If I check the browser console it shows the upload failed because of a 401 error.

I’m running Laravel 11, Livewire 3, and Filament 3

I thought this may have been a signed url issue as the requests are going through Cloudflare, so I turned off Cloudflare proxying (also to verify Cloudflare’s auto-minification wasn’t messing anything up) – no change. I set the following in bootstrap/app.php – no change.

->withMiddleware(function (Middleware $middleware) {
        $middleware->trustProxies(at: ['*']);
    })

finally I commented out the check for a signed url in Livewire’s src file just to be sure this was not the issue

vendor/livewire/livewire/src/Features/SupportFileUploads/FileUploadController.php

//abort_unless(request()->hasValidSignature(), 401);

What else could be causing this issue?

Tags:

2

Answers


  1. Chosen as BEST ANSWER
    0

    I'm not sure the actual cause but I had it running on Laravel Octane with FrankenPhp. As soon as I disabled that the problem went away. I'll try to investiagte and post the actual cause of the issue when I have a bit more time.


  2. 0

    In my case my app is available from two different domains. Removing hasValidSignature creates security hole. The files /livewire/upload-file.js and /livewire/preview-file.js can now be forged.

    You can create your own signature validation and rewrite it in register() method of AppServiceProvider

    UrlGenerator::macro('alternateHasCorrectSignature', 
function (Request $request, $absolute = true, array $ignoreQuery = []) {
$ignoreQuery[] = 'signature';
    
$absoluteUrl = url($request->path());
$url = $absolute ? $absoluteUrl : '/'.$request->path();
    
$queryString = collect(explode('&', (string) $request
->server->get('QUERY_STRING')))
->reject(fn ($parameter) => in_array(Str::before($parameter, '='), $ignoreQuery))
->join('&');

$original = rtrim($url.'?'.$queryString, '?');
$signature = hash_hmac('sha256', $original, call_user_func($this->keyResolver));
return hash_equals($signature, (string) $request->query('signature', ''));
});
UrlGenerator::macro('alternateHasValidSignature', function (Request 
$request, $absolute = true, array $ignoreQuery = []) {
   return URL::alternateHasCorrectSignature($request, $absolute, $ignoreQuery)
&& URL::signatureHasNotExpired($request);
});
Request::macro('hasValidSignature', function ($absolute = true, array $ignoreQuery = []) { 
return URL::alternateHasValidSignature($this, $absolute, $ignoreQuery);
});
    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search