Oh Dear is the all-in-one monitoring tool for your entire website. We monitor uptime, SSL certificates, broken links, scheduled tasks and more. You'll get a notifications for us when something's wrong. All that paired with a developer friendly API and kick-ass documentation. O, and you'll also be able to create a public status page under a minute. Start monitoring using our free trial now.

Dealing with expired signed URLs in Laravel

Original – by Freek Van der Herten – 2 minute read

Out of the box, Laravel comes with the ability to generate "signed" URLs. These URLs have a hash in their query string that verifies that the URL was not modified.

At Flare, we use these signed URLs to add action links in mail notifications. The action links allow users to snooze and resolve errors right from the mail without having to be logged in. Pretty convenient!

My buddy Dries Vints noticed a slight drawback. He got a mail from Flare that contains these action links. A few hours after the mail arrived, he clicked one of the action links. This is what he saw.

screenshot

This error screen is confusing: you might think that the links in the mail are invalid. To keep things secure, we use a short lifetime for our signed URLs. Dries got this screen because the link had expired.

We can improve on this by creating a dedicated error message when clicking expired or invalid links. Luckily, this is not that difficult.

When you try to validate a signed URL and the validation fails, Laravel will throw a dedicated exception Illuminate\Routing\Exceptions\InvalidSignatureException In your exception handler, you can listen for that exception and render a dedicated view.

// in app/Exceptions/Handler.php

use Illuminate\Routing\Exceptions\InvalidSignatureException;

public function register()
{
   $this->renderable(function (InvalidSignatureException $exception) {
      return response()->view('error.link-expired', status: 403);
   });
}

With that code in place, this is what Dries will see when clicking another expired link in the future.

screenshot

And that is all there is to it. To avoid confusions for your users, I highly recommend setting up a dedicated error message when using signed URLs.

Thanks for bringing this to my attention, Dries.

Stay up to date with all things Laravel, PHP, and JavaScript.

You can follow me on these platforms:

On all these platforms, regularly share programming tips, and what I myself have learned in ongoing projects.

Every month I send out a newsletter containing lots of interesting stuff for the modern PHP developer.

Expect quick tips & tricks, interesting tutorials, opinions and packages. Because I work with Laravel every day there is an emphasis on that framework.

Rest assured that I will only use your email address to send you the newsletter and will not use it for any other purposes.

Comments

What are your thoughts on "Dealing with expired signed URLs in Laravel"?

Comments powered by Laravel Comments
Want to join the conversation? Log in or create an account to post a comment.