From c7634e904b5711deb44ab23d00ff7ab92c9b10c6 Mon Sep 17 00:00:00 2001 From: David Hein Date: Mon, 16 Feb 2026 11:15:11 +0100 Subject: [PATCH 1/2] Embed route must be skipped, otherwise it will not work with sessions MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Laurin Stapf <72888948+LaurinStapf@users.noreply.github.com> Co-authored-by: J. Glück <65236355+JGlueck-WIKA@users.noreply.github.com> --- routes/api.php | 4 ++-- src/Http/Middlewares/IgnoreForWireExtender.php | 7 ++++++- src/WireExtender.php | 5 +++++ 3 files changed, 13 insertions(+), 3 deletions(-) diff --git a/routes/api.php b/routes/api.php index c315976..554aff9 100644 --- a/routes/api.php +++ b/routes/api.php @@ -1,6 +1,6 @@ name('wire-extender.embed'); diff --git a/src/Http/Middlewares/IgnoreForWireExtender.php b/src/Http/Middlewares/IgnoreForWireExtender.php index 0a612b2..a554c77 100644 --- a/src/Http/Middlewares/IgnoreForWireExtender.php +++ b/src/Http/Middlewares/IgnoreForWireExtender.php @@ -19,6 +19,11 @@ trait IgnoreForWireExtender */ public function handle($request, Closure $next) { + // Embed route must be skipped, otherwise it will not work with sessions + if ($request->getRequestUri() === WireExtender::getEmbedUri()) { + return $next($request); + } + // We only care about requests from an embedded component if (! $this->isLivewireUpdateRequest($request)) { return parent::handle($request, $next); @@ -41,7 +46,7 @@ public function handle($request, Closure $next) private function isLivewireUpdateRequest($request): bool { return $request->method() === 'POST' && - app(LivewireManager::class)->getUpdateUri() === $request->getRequestUri() && + $request->getRequestUri() === app(LivewireManager::class)->getUpdateUri() && $request->hasHeader('X-Wire-Extender') && $request->hasHeader('X-Livewire'); } diff --git a/src/WireExtender.php b/src/WireExtender.php index 449f836..374a2be 100644 --- a/src/WireExtender.php +++ b/src/WireExtender.php @@ -9,6 +9,11 @@ class WireExtender { + public static function getEmbedUri(): string + { + return route('wire-extender.embed', absolute: false); + } + public static function isEmbeddable($component): bool { try { From 6be58f986e1d5d904913d6b2f446672850baa424 Mon Sep 17 00:00:00 2001 From: David Hein Date: Mon, 16 Feb 2026 12:01:59 +0100 Subject: [PATCH 2/2] Using `$request->routeIs` for a more secure route comparison Co-authored-by: Laurin Stapf <72888948+LaurinStapf@users.noreply.github.com> --- src/Http/Middlewares/IgnoreForWireExtender.php | 2 +- src/WireExtender.php | 5 ----- 2 files changed, 1 insertion(+), 6 deletions(-) diff --git a/src/Http/Middlewares/IgnoreForWireExtender.php b/src/Http/Middlewares/IgnoreForWireExtender.php index a554c77..a3946f9 100644 --- a/src/Http/Middlewares/IgnoreForWireExtender.php +++ b/src/Http/Middlewares/IgnoreForWireExtender.php @@ -20,7 +20,7 @@ trait IgnoreForWireExtender public function handle($request, Closure $next) { // Embed route must be skipped, otherwise it will not work with sessions - if ($request->getRequestUri() === WireExtender::getEmbedUri()) { + if ($request->routeIs('wire-extender.embed')) { return $next($request); } diff --git a/src/WireExtender.php b/src/WireExtender.php index 374a2be..449f836 100644 --- a/src/WireExtender.php +++ b/src/WireExtender.php @@ -9,11 +9,6 @@ class WireExtender { - public static function getEmbedUri(): string - { - return route('wire-extender.embed', absolute: false); - } - public static function isEmbeddable($component): bool { try {