fix: drop URL::forceRootUrl (Livewire/CSRF break on tenant subdomains)

forceRootUrl forces ALL generated URLs to APP_URL (service.mir.md).
On psauto.service.mir.md, Livewire-generated POST URLs targeted
service.mir.md instead of psauto, so CSRF/session cookies didn't
match → silent auth failure.

Keep forceScheme('https') so Cloudflare → Traefik → Octane proxy
chain doesn't generate http:// links, but let Laravel use the
actual request host for everything else.

Also: TextInput->lowercase() removed (not in Filament v5);
slug uses dehydrateStateUsing(strtolower) + visual CSS lowercase.
This commit is contained in:
2026-05-06 18:13:47 +00:00
parent 721c57ff97
commit 1a33bc9692
2 changed files with 4 additions and 2 deletions
+2 -1
View File
@@ -16,9 +16,10 @@ class AppServiceProvider extends ServiceProvider
public function boot(): void
{
// Behind a TLS-terminating proxy (Cloudflare → Coolify Traefik → Octane).
// Force https on URL generation, but DON'T force root URL — each tenant
// subdomain must keep its own host so Livewire/CSRF work per-tenant.
if (! $this->app->runningInConsole() && (str_starts_with(config('app.url'), 'https://') || env('FORCE_HTTPS'))) {
URL::forceScheme('https');
URL::forceRootUrl(config('app.url'));
}
}
}