From 1a33bc96926a8e3cca55f64bdc925c96c8a6774c Mon Sep 17 00:00:00 2001 From: Vasyka Date: Wed, 6 May 2026 18:13:47 +0000 Subject: [PATCH] fix: drop URL::forceRootUrl (Livewire/CSRF break on tenant subdomains) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit forceRootUrl forces ALL generated URLs to APP_URL (service.mir.md). On psauto.service.mir.md, Livewire-generated POST URLs targeted service.mir.md instead of psauto, so CSRF/session cookies didn't match → silent auth failure. Keep forceScheme('https') so Cloudflare → Traefik → Octane proxy chain doesn't generate http:// links, but let Laravel use the actual request host for everything else. Also: TextInput->lowercase() removed (not in Filament v5); slug uses dehydrateStateUsing(strtolower) + visual CSS lowercase. --- app/Filament/Central/Resources/CompanyResource.php | 3 ++- app/Providers/AppServiceProvider.php | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/app/Filament/Central/Resources/CompanyResource.php b/app/Filament/Central/Resources/CompanyResource.php index a48a3a4..ab35edd 100644 --- a/app/Filament/Central/Resources/CompanyResource.php +++ b/app/Filament/Central/Resources/CompanyResource.php @@ -34,9 +34,10 @@ class CompanyResource extends Resource Forms\Components\TextInput::make('slug') ->required() ->alphaDash() - ->lowercase() ->maxLength(30) ->unique(ignoreRecord: true) + ->dehydrateStateUsing(fn ($state) => strtolower((string) $state)) + ->extraInputAttributes(['style' => 'text-transform: lowercase']) ->helperText('Subdomeniul: .service.mir.md'), Forms\Components\TextInput::make('name')->required()->maxLength(120), Forms\Components\TextInput::make('display_name')->maxLength(120), diff --git a/app/Providers/AppServiceProvider.php b/app/Providers/AppServiceProvider.php index a80bbf8..39a2ad2 100644 --- a/app/Providers/AppServiceProvider.php +++ b/app/Providers/AppServiceProvider.php @@ -16,9 +16,10 @@ class AppServiceProvider extends ServiceProvider public function boot(): void { // Behind a TLS-terminating proxy (Cloudflare → Coolify Traefik → Octane). + // Force https on URL generation, but DON'T force root URL — each tenant + // subdomain must keep its own host so Livewire/CSRF work per-tenant. if (! $this->app->runningInConsole() && (str_starts_with(config('app.url'), 'https://') || env('FORCE_HTTPS'))) { URL::forceScheme('https'); - URL::forceRootUrl(config('app.url')); } } }