Tool API routes default to being publicly accessible without authentication

[bakerkretzmar]

• Laravel Version: 10.9.0
• Nova Version: 4.23.0
• PHP Version: 8.1.18
• Database Driver & Version: None
• Operating System and Version: macOS Monterey (12.6.5)
• Browser type and version: Firefox 112.0.1
• Reproduction Repository: https://github.com/bakerkretzmar/nova-public-tool-api-routes

Description:

Nova creates all custom tools with API routes that are publicly accessible to unauthenticated users by default.

The tool service provider stub registers routes like this:

Nova::router(['nova', Authenticate::class, Authorize::class], 'my-tool')
    ->group(__DIR__.'/../routes/inertia.php');

Route::middleware(['nova', Authorize::class])
    ->prefix('nova-vendor/my-tool')
    ->group(__DIR__.'/../routes/api.php');

The nova-vendor/my-tool routes are publicly accessible, and users that should not be able to access Nova or are not even logged in at all can access them in any environment.

Detailed steps to reproduce the issue on a fresh Nova installation:

• Create a tool with php artisan nova:tool my/tool and register it with Nova.
• Add an API route to the tool that returns some JSON.
• Configure Nova to be completely inaccessible—set APP_ENV to production and update the viewNova gate to just return false.
• Open an Incognito tab and visit the API route defined earlier—it is accessible and returns the JSON.

Discussion:

Was this intentional? If it wasn't, can Nova's tool stubs be updated to use the nova:api middleware group for tool API routes, instead of just nova? Or should this be documented so that users know they always need to add this? I can't imagine a situation where you would want any of Nova's API routes to be completely public.

[crynobone]

Authorize middleware already utilise Tool::canSee() as defined in the documentation. https://nova.laravel.com/docs/4.0/customization/tools.html#authorization

[bakerkretzmar]

@crynobone I know that, and that's not my question. The tool's Inertia pages by default use the Authenticate middleware and are only accessible if Nova itself is accessible, but the API routes are completely public even if Nova is not.

If a tool does not use canSee because all users with Nova access should have access to the tool, the API routes will not be authenticated at all. Is that intentional?

[crynobone]

Authenticate is there to avoid issues with "User Menu" on AuthLayout, without the middleware Inertia wouldn't have access to currentUser props. It's a different requirement to Authorize with is the recommended way to authorize the Tool.

[bakerkretzmar]

@crynobone thanks, I appreciate the context but that doesn't address my question. The API routes registered by the tool are completely open to the public. If a tool does not use canSee because all users with Nova access should have access to the tool, the API routes will not be authenticated at all. Is that intentional?

[crynobone]

It is the current behavior and you are free to change it however you want.

[crynobone]

Furthermore, you can 100% use the inertia.php routes to handle everything without api.php just like any other "Inertia" SPA, which is not possible in Nova 3.

[thurti]

I've noticed the same thing today and I think the docs should be more clear about this behavior.

The docs also say that I should use the api.php routes for requests from within my Interia tool. So I thought, they are protected the same way like routes in interia.php.

You should not typically need to modify this middleware, as it automatically determines whether the authenticated user can "see" the tool before it processes any requests to routes within your tool's route group

My suggestions would be to add something like "All routes in api.php are public accessable by default."

[nikoo-eshratabadi]

I'm facing the same issue here. I want to access a nova custom tool before login. can you please tell me if you were successful?