It's easy to forget authorization. This package is here to help you out!

You can install the package via composer:

composer require jurianarie/unauthorised-laravel-endpoints --dev

You can publish the config file with:

php artisan vendor:publish --tag="unauthorized-detection"

This package looks through all routes defined in your application and tries to find authorization checks.

There are a few build in checks:

• Authorization via middleware
• Authorization via FormRequests
• Authorization via source code (This has some limitations.)

php artisan unauthorised-endpoints:detect

Or exclude vendor routes:

php artisan unauthorised-endpoints:detect --except-vendor

Tip: the same arguments are available as with route:list

By default, only the auth middleware is checked. Routes without the specified middleware will be ignored.

'authentication-middleware' => [
    'auth:api', // Only check api.
],

Here you can specify the middleware that is used to authorize the routes.

'authorization-middleware' => [
    'your-custom-middleware',
],

You can add regular expressions.

'authorization-methods' => [
    '/\$this->authorize\(\'(.*)\\)/',
    '/Gate::authorize\(\'(.*)\\)/',
],

You can ignore routes the same way as with Request::is() and Request::routeIs() https://laravel.com/docs/9.x/requests#inspecting-the-request-path.

You can add custom detection by adding a class that implements \JurianArie\UnauthorisedDetection\Detectors\DetectsAuthorization to the 'authorization-detectors' array in your config.

You might get false positives if your authorization has to be detected in your source code.

• Your action doesn't have any source code.
• Your authorization happens further down in the call stack.
• Your authorization uses structures such as abort_if($user->cannot(...), if ($user->cannot(...)) {...}

The MIT License (MIT). Please see License File for more information.