fix: drop URL::forceRootUrl (Livewire/CSRF break on tenant subdomains)

forceRootUrl forces ALL generated URLs to APP_URL (service.mir.md).
On psauto.service.mir.md, Livewire-generated POST URLs targeted
service.mir.md instead of psauto, so CSRF/session cookies didn't
match → silent auth failure.

Keep forceScheme('https') so Cloudflare → Traefik → Octane proxy
chain doesn't generate http:// links, but let Laravel use the
actual request host for everything else.

Also: TextInput->lowercase() removed (not in Filament v5);
slug uses dehydrateStateUsing(strtolower) + visual CSS lowercase.
This commit is contained in:
2026-05-06 18:13:47 +00:00
parent 721c57ff97
commit 1a33bc9692
2 changed files with 4 additions and 2 deletions
@@ -34,9 +34,10 @@ class CompanyResource extends Resource
Forms\Components\TextInput::make('slug') Forms\Components\TextInput::make('slug')
->required() ->required()
->alphaDash() ->alphaDash()
->lowercase()
->maxLength(30) ->maxLength(30)
->unique(ignoreRecord: true) ->unique(ignoreRecord: true)
->dehydrateStateUsing(fn ($state) => strtolower((string) $state))
->extraInputAttributes(['style' => 'text-transform: lowercase'])
->helperText('Subdomeniul: <slug>.service.mir.md'), ->helperText('Subdomeniul: <slug>.service.mir.md'),
Forms\Components\TextInput::make('name')->required()->maxLength(120), Forms\Components\TextInput::make('name')->required()->maxLength(120),
Forms\Components\TextInput::make('display_name')->maxLength(120), Forms\Components\TextInput::make('display_name')->maxLength(120),
+2 -1
View File
@@ -16,9 +16,10 @@ class AppServiceProvider extends ServiceProvider
public function boot(): void public function boot(): void
{ {
// Behind a TLS-terminating proxy (Cloudflare → Coolify Traefik → Octane). // Behind a TLS-terminating proxy (Cloudflare → Coolify Traefik → Octane).
// Force https on URL generation, but DON'T force root URL — each tenant
// subdomain must keep its own host so Livewire/CSRF work per-tenant.
if (! $this->app->runningInConsole() && (str_starts_with(config('app.url'), 'https://') || env('FORCE_HTTPS'))) { if (! $this->app->runningInConsole() && (str_starts_with(config('app.url'), 'https://') || env('FORCE_HTTPS'))) {
URL::forceScheme('https'); URL::forceScheme('https');
URL::forceRootUrl(config('app.url'));
} }
} }
} }