Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[4.x] Don't log HTTP requests to Telescope endpoints #1127

Merged
merged 1 commit into from
Sep 16, 2021
Merged

[4.x] Don't log HTTP requests to Telescope endpoints #1127

merged 1 commit into from
Sep 16, 2021

Conversation

derekmd
Copy link
Contributor

@derekmd derekmd commented Sep 15, 2021
edited
Loading

Fixes #1126 introduced by #1124

Taylor rightly questioned why the domain check was an OR conditional as that ended up breaking Telescope's behavior using the out-of-the-box config:

return [
    'domain' => env('TELESCOPE_DOMAIN', null),
    'path' => env('TELESCOPE_PATH', 'telescope'), // e.g., https://example.com/telescope
    // ...
];

With Telescope's default config('telescope.domain') === null, the new method requestIsToApprovedDomain() was always returning true. This skips requestIsToApprovedUri() and permits every path to be logged. Telescope database entries are being inserted for /telescope/requests, /telescope/batches, etc. while also ignoring config('telescope.only_paths').

Instead make changes that allow the below config to be used, which the pull request originally intended to fix:

return [
    'domain' => 'https://telescope.example.com',
    'path' => null,
    // ...
];

  1. requestIsToApprovedDomain() must check config('telescope.domain') contains a value for Telescope route registration. A request is approved for logging when Telescope's domain configuration is empty or its filled value is different from the current request meaning it's an app request (and not a Telescope admin request.)

    The issue with [4.x] Fix telescope.domain usage. #1124 was its fallback default value of config('telescope.domain', $request->getHost()) only gets used when 'domain' array key doesn't exist. config/telescope.php assigns that key the value null and fallback $request->getHost() was never returned.

  2. requestIsToApprovedUri() will ignore config('telescope.path') === null for custom domains since conditional ! $request->is('*') would ignore all paths and nothing is ever logged.

  3. When requestIsToApprovedDomain() returns true, config('telescope.only_paths') must also be checked. So that pull request should have introduced an AND conditional. The fixes in bullet points 1 & 2 allow requestIsToApprovedDomain() && requestIsToApprovedUri() to be used.

I wouldn't mind adding some integration and/or unit tests for this but any Laravel app code skipped by ! $app->runningInConsole() (like protected method handlingApprovedRequest()) is untestable with PHPUnit unless the code is restructured to make that mockable.

@derekmd
Don't log HTTP requests to Telescope endpoints
ef0af6c 
v4.6.3 started logging database entries for /telescope/requests, etc.
due to the config('telescope.domain') checks introduced by
95631f9

1. For the base configuration Telescope installs by default,
   `null !== $request->getHost()` so requestIsToApprovedDomain() is
   always returning true. requestIsToApprovedUri() is never checked and
   config('telescope.only_paths') is ignored. This new method should
   only consider a custom Telescope domain being configured. Return
   true if nothing is configured as the URI will be checked instead.
2. Exclude `config('telescope.path') === null` when another domain is
   being used since `! $request->is('*')` would stop any path from being
   logged. Last week's commit was intended to fix this problem.
3. config('telescope.only_paths') must also be checked even when
   requestIsToApprovedDomain() is true. handlingApprovedRequest() must
   be checking both domain _and_ URI.
@frostfire64
Copy link

frostfire64 commented Sep 16, 2021
edited
Loading

I wasted half a day working on this exact issue in a project I'm working on. I think this merge request should me merged ASAP because it can break the behavior of Telescope config for any user working with it that updates the package.

I can confirm that it broke the default and documented behavior of telescope. Which generated major confusion for me since it was a clean install of telescope done yesterday.

Downgrade to previous version did fix the issue.

@taylorotwell taylorotwell merged commit e39423d into laravel:4.x Sep 16, 2021
@derekmd derekmd deleted the dont-log-requests-to-telescope-endpoints branch September 16, 2021 23:11
@frostfire64
Copy link

frostfire64 commented Sep 20, 2021
edited
Loading

I tested this on the newest release(4.6.4), the issue is solved. Thanks for swift action 💪

@EldonYoder
Copy link

Working great for me as well... thanks guys!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

telescope_entries table queries are shown in Query Watcher
4 participants
@derekmd @frostfire64 @EldonYoder @taylorotwell